How can organizations mitigate the security risks caused by human error?

There is a great quote that goes something like this: “To err is human, but to really mess things up it takes a computer.” When applied to cybersecurity, this can work very well since human error is a major contributor to data breaches. Humans are by nature prone to making mistakes, and when working with complex technologies, the risks increase significantly. So it’s no surprise that nearly three-quarters (74 percent) of CISOs consider human error to be the most serious cybersecurity vulnerability, according to a recent study. study.

A more specific examination of the issues surrounding cloud security reveals a wide range of human problems. From technology misconfigurations and phishing to multi-factor authentication (MFA) errors, social engineering and alert fatigue, exploiting our general propensity for error has become a focus for attackers.

Take, for example, the security concerns associated with MFA, an approach to security that is actually designed to help reduce the risks that can arise from human error. Until recently, MFA was able to prevent the vast majority of cybercriminals from accessing proprietary services, even if they had usernames and passwords. In this context, if a user is tricked into handing over login information, MFA will provide an additional layer of protection.

The problem today is that MFA systems themselves are now being targeted by hackers who are using highly effective strategies to bypass what was once considered a strong security process. Part of the problem here is the large number of push notifications that users may receive when accessing multiple systems or services every day. This can mean that employees become less willing to give everyone their full attention, and if a user mistakenly approves a fraudulent MFA request, attackers can easily gain unauthorized access to sensitive systems and data.

Employees are being targeted on multiple fronts. What may seem like a completely innocuous act, such as posing for a work photo, may unwittingly reveal security details, such as those displayed on laptop screens or security badges. Once posted anywhere on the Internet, these images provide cybercriminals with a rich source of information, including everything from helping them determine which corporate software applications to attack to information about employees that could be used to launch an attack.

In other cases, employees connecting their mobile phones to the corporate Wi-Fi network may accidentally expose their corporate network to attack. This could happen as a result of risky online behavior during a break, or due to mobile malware lying dormant on their personal devices. In any case, employers must use increasingly sophisticated security tools to ensure that access is properly restricted.

These are difficult challenges, and the situation is made even more complex and alarming by the widespread use of AI by threat actors looking to up their game. For example, phishing and AI social engineering attacks use highly personalized and persuasive phishing emails that mimic human behavior or trusted contacts. This can significantly increase the likelihood that users will unknowingly provide credentials or sensitive information.

There is also a risk that security teams could become overly reliant on AI systems to detect threats, assuming that AI is less likely to make mistakes than humans. However, if AI misclassifies or misses the real threat, operators may ignore critical issues. Additionally, AI-powered security systems can generate large volumes of alerts, some of which may be false positives. The danger here is that security teams can become overwhelmed, causing real threats to be missed, also known as alert fatigue.

Eliminate risks

So what can security teams do to identify and address risks associated with human error? The first thing to understand is that it is almost impossible to completely eliminate these problems, but effective mitigation strategies can help close the many loopholes that currently exist.

For example, according to the Cloud Security Alliance, misconfiguration of cloud applications or platforms is the leading cause of data breaches, followed by poor identity controls and access management. Therefore, organizations should ensure that they follow architectural best practices and policy recommendations provided by cloud service providers regarding the security of interfaces and APIs. Additionally, these best practices must be well documented, and all employees must be made aware of the cybersecurity and cloud security protocols that the organization must actively implement.

Almost everyone is familiar with the benefits and limitations of security training, but it remains a vital tool for improving security. What needs to change, however, is that training needs to be more specifically targeted to individual users based on the likelihood they will be targeted and the risks they face associated with their role. It should also be mandatory and updated regularly to ensure users are aware of the latest techniques used by cybercriminals.

For example, by training employees on how to better store their credentials, organizations can reduce the likelihood of a successful phishing attack and protect their valuable data. What many of these measures have in common is the need to improve existing strategies. In the case of MFA, where the risks continue to rise, biometric authentication such as fingerprints, facial recognition or iris scanning offers a more secure additional layer of identity verification.

AI also plays a positive role in security. Today’s powerful artificial intelligence tools can organize massive amounts of data into event patterns and alert security officials when their intervention is required. By eliminating the need for alerts that can lead to missing critical threats, security teams can more effectively and accurately detect threats and vulnerabilities in real time.

By bringing these different elements together, organizations can do a lot to address the security challenges associated with human error. Adopting the right mindset is critical, and focusing on continuous improvement can be the key to better protection in the long run.

Image Credit: Antonio Guillem / Dreamstime.com

Chris Jackson – Director of Products and Technology at six degrees.