Here's a scenario: your bank has implemented an unbreakable cybersecurity solution. It neutralizes any outside threat and keeps sensitive data like customer information as safe as possible. One day, you come into work to find that's all been compromised. At this point, you're asking yourself, "how could have this possibly happened?" Let's look beyond the security technology, itself.
Human error occurs when an employee or an end-user accidentally performs an action that allows a security breach to take place.1 The actions vary, but typically interacting with malicious emails, fake websites, and downloading infected software or documents are the most common ones. Phishing or social engineering attacks, though, are the most well-known types of human error attacks. Here, cybercriminals send targeted emails to employees, manipulating them to visit a link that leads to a fake website where the user would fill in a fake log in prompt that steals your credentials.
Even with modern anti-malware and phishing-detection software embedded in your email service, cybercriminals know these protections only go so far. Cybercriminals are advancing their phishing and malware delivery where modern software does not automatically detect them - so if a cybercriminal obtains a password from an employee from this point, there is no other technical solution that can stop the cyber attack.2
In a phishing email, there is a hyperlink that when clicked leads the victim to a fake version of a website containing a login prompt. When the victim attempts to login via the fake login prompt, the cybercriminal captures their login credentials. The cybercriminal can use the credentials to login to the real version of the website as the victim. This gives the cybercriminal complete access to what the victim has - this could cause a data breach, potentially exposing sensitive customer information.
Let's put this to a real-world scenario. Your payroll manager receives an email from a cybercriminal posing as a bank. Within the email, it reads an urgent message: - "Please log in and verify your account information." There, the payroll manager falls for the bait and clicks the hyperlink which leads them to a fake version of the bank's website. This fake version looks identical to the real one except for some changes to the URL - which is generally overlooked by many users. The payroll manager then finds a log in prompt and enters their account credentials. Once entered, the cybercriminal captures this information and logs into the bank's legitimate website as the payroll manager.
This example shows a monetary security breach but can be applied to any online service, like cloud databases or website hosting services.
While having poor password hygiene is not a direct result of human error, it is one of inherent human behavior. Over time, that behavior predictably leads to error. Many employees tend to use common passwords or incorporate common password phrases like "123456" or "password."3 These passwords can be easily broken into, giving access to hackers without breaking a sweat. The other scenario is using an overly complex password that employees need to physically store or share just to remember it.
And human error is not just an employee issue. After all, it's not just the employee's fault. IT admins play a role in human error as they add better technologies - which is a double-edged sword.
Banks have more advanced and complicated work environments with more tools to use. This leads to improved customer service quality but comes at the cost of inevitable human error. Each new tool has its own login, username, and password. Over time, employees want to take shortcuts and use easier and easier passwords for these tools - leading to an inevitable cyber attack.
When employees face pressure from IT teams to use stronger passwords or security methods and when current media repeatedly states cyber threats are common, it should not be a surprise that your employees get stressed with cybercriminals and face password fatigue.
Human error that comes from employees failing to follow strong data security practices can result in breached or exposed company data. For example, Morgan Stanley faced a class-action lawsuit after their decommissioned computer equipment was discovered to contain the personal data of over 15 million customers.4 Even though there were claims that this issue happened due to a software flaw, the company did not follow proper data protection practices - leading to blame and ultimate responsibility for causing the massive data breach.
The IT security team was not aware of the decommissioned computer equipment and lacked the visibility to know what data needed to be protected. As a result, cybercriminals had a free pass to circumvent traditional security controls.
Employee education is key to protecting your bank against cyber attacks. Let's review the fundamentals:
When you notify your employees about the new security technologies, you must give personal values and reasons on why they should opt into the new technology. If you only provide values that benefit the company or values that your employees cannot relate to, then they are more likely NOT to use the new technology. For example, if the new security solution has biometrics, tell the employees that if they have used an iPhone with TouchID or FaceID, they have already been exposed to biometric authentication.
IT admins should be personable, patient, and have a sense of humor when introducing a new solution to employees. You are now marketing the solutions to your own staff, so guide them and convince them that this security solution benefits them. A best practice is to have gamification around the new solution to encourage your employees to use the new security control. For example, track how many times your staff uses the new solution and give a large award to the employee who used the new solution the most in a certain timeframe.
Employees are the weakest link in any cybersecurity strategy. As Thomas Reid once said, "A chain is no stronger than its weakest link" - meaning, no matter how strong or up-to-date your security controls are, they're still susceptible to human error. What causes human error in cybersecurity?
Do your employees gravitate toward passwords and PINs over biometrics and OTPs? Do your IT admins have proper training for your employees? Are your employees falling for targeted phishing emails?
Today, banks rely on their employees to maintain a high level of security, but with human error leading to 88% of all data breaches in 2021, your employees are the difference-maker between being a victim versus preventing the attack.
We spoke to one of our customers, Orange Bank and Trust that had cyber issues, especially with how employees dealt with security. The bank company found employee education to be highly important to cybersecurity improvement and focused on educating employees on why cybersecurity should matter to them, not just the bank company.
References:
1 - https://blog.usecure.io/the-role-of-human-error-in-successful-cyber-security-breaches
2 - https://thehackernews.com/2021/02/why-human-error-is-1-cyber-security.html
3 - https://www.packetlabs.net/posts/human-error-in-cybersecurity/
4 - https://www.bloomberg.com/news/articles/2022-01-03/morgan-stanley-to-pay-60-million-to-settledata-breach-claims