Human error is responsible for 74% of data breaches
The number of cybersecurity incidents and data breaches gets more alarming every year. Data from these breaches is incredibly valuable, whether sold directly on the black market or leveraged for extortion attempts. Breaches can also lead to ransomware attacks that can disrupt an organization for days — or even weeks.
Verizon’s 2023 Data Breach Investigations Report (DBIR) details examples of human errors that lead to data breaches. In fact, 74% of incidents include some human element, such as clicking on a phishing link. Whether it's a man-in-the-middle attack over Wi-Fi, a social engineering scam or something else, humans are inadvertently involved in most data breaches.
However, the good news is that organizations have the power to reduce the human risk related to potential data breaches. Security awareness training is one of the most effective ways to empower employees to recognize these threats — and help protect your organization.
Why human error is a major risk factor
Technology alone will not keep your organization safe. Humans are the backbone of any organization, but they are not cybersecurity experts by nature.
Employees can accidentally expose data in many ways, such as incorrect sharing settings, falling for a phishing scam or connecting to unsecured Wi-Fi. With the rise of remote work, employees are no longer physically protected by the constraints of the office, so they may inadvertently let their guard down, which could lead to an unfortunate data breach.
Phishing simulations & training
Types of data breaches
While human security breaches can be incredibly damaging, most threat actors are accessing an organization's data through stolen credentials, phishing and exploiting vulnerabilities.
Human error
Human error is the biggest contributor to any data breach. Nearly three out of four incidents involved a human element like error, privilege misuse, stolen credentials or social engineering. For example, digital risk protection firm DarkBeam inadvertently exposed billions of email and password combinations due to an unprotected database interface.
Privilege misuse
Privilege misuse is often a more purposeful type of data breach caused by insider employees. A famous example is Edward Snowden, a whistle-blower who leaked classified NSA surveillance details to the media in 2013. However, privilege misuse can also happen on a much smaller scale. It can also mean sensitive data is sent to a personal email or a computer — or that a staff member tries to access a system they don't have authorization to use.
Stolen credentials
Stolen credentials are the most sought-after type of data. Once a malicious actor has access to login information, they can use that access to spread malware, ransomware or another type of virus. Cybercriminals can access this login information through vulnerabilities in your systems architecture or a team member inadvertently typing in passwords on a fake website. For example, criminals used a stolen credential to infiltrate Okta's support management system to view files uploaded by customers for support.
Social engineering
Social engineering is often an umbrella term encompassing all the techniques to target individuals to reveal specific information, including credentials or privileged information. Social engineering attacks aim to access an organization's files, applications and network infrastructure by using psychological human weaknesses to trick employees into revealing valuable information.
According to Verizon's research, one particular type of social engineering attack — business email compromise (BEC) — doubled within the last few years. It now represents more than 50% of pretexting attacks. In this type of social engineering scam, fraudsters insert themselves into an existing email thread with a request that appears legitimate.
BEC attacks are more dangerous than a typical phishing attack in a few ways; first, they don't contain malware or malicious email attachments, so they might be overlooked by automated inbox detection. They also target specific individuals with highly personalized information and leverage the concepts of secrecy, urgency and authority to get an employee to take action.
Consequences of data breaches
Organizations face a variety of consequences after a data breach, from negative brand perception from news headlines to the financial impact of paying staff (or third-party vendors) to remediate the situation.
Lost customer trust
Privacy and security matter to the modern-day consumer, and businesses that breach this trust suffer the consequences. Research has found that nearly half of consumers say they lost trust in a brand that experienced a data breach. Not only does a cyber incident impact the acquisition of customers, but it can lead to increased current customer churn as well.
See Infosec IQ in action
Regulatory fines
After a data breach, if your business is found to be out of compliance with regulations like GDPR, CCPA, HIPPA or PCI, you could pay a hefty fine. The largest data breach sign of all time was from a Chinese technology company that paid $1.19 billion after it violated the nation's network security law, followed by Amazon, which was fined $877 million for GDPR violations.
Ransoms
Ransomware makes up 24% of data breaches, and even if your business pays a ransom to cybercriminals to unlock your company's data, you might not get your data returned to you. For example, Caesars Palace in Las Vegas paid a $15 million ransom to an organized crime group in an effort to return to business as usual after an attack.
Downtime
In the event of a data breach, your systems might be offline for days or even weeks. The average cost of a single minute of downtime is $5,600, and this price increases with your organization's size. Not only does downtime cost money, but it also produces losses in productivity and efficiency for your employees.
How to reduce human error
The good news is that there are proven steps to help organizations reduce types of human error.
Employee security awareness training
One of the best ways to protect your organization is to thoroughly educate employees on the cyber threats they might encounter. Not only does cybersecurity awareness training help prevent innocent errors, but it also helps staff members become more proactive. Properly trained team members can play a critical role in your organization's defense.
However, it’s important that employee security awareness training educates team members in a way that is relevant to their role. For example, the financial department might need to be trained against different cyber threats than the marketing department.
Multi-factor authentication
With multi-factor authentication, there is an additional layer of security built into the process. This extra layer of security prevents threat actors from infiltrating systems. If someone’s credentials are compromised, threat actors may still not be able to access those systems as another factor is needed, such as an authentication code.
Build a culture of security
Building a security culture that invites employees into the cybersecurity process is critical. While innovative technology can support automated threat monitoring, the best way to prevent human error is to empower those humans who are inadvertently a part of so many data breaches.
See Infosec IQ in action
Want more tips for empowering your employees and keeping your organization secure? Speak to someone at Infosec about industry- and role-based cybersecurity awareness training.