Battling the Cyber Security Vulnerability that is Human Error with the Power of Process

by Andrew Cave
October 11, 2023

Human error poses a significant risk to cybersecurity. One IBM study traced 95% of breaches back to mistakes made by individuals. Whether it’s sharing sensitive information via insecure channels, falling for phishing emails, or neglecting software updates, such errors can lead to devastating cyber-attacks, resulting in data breaches, financial losses, and damage to a company’s reputation.

And yet, cybersecurity gap assessments consistently reveal that many people at work tend to feel relaxed when communicating sensitive information internally, acting on requests they receive via internal email and generally operating within what they think of as a secure network.

A business works hard to strengthen its security stance, and you want staff to feel safe operating within it, but there is such a thing as being too comfortable. People are busy. They take shortcuts. They make mistakes. They rely on the security measures taken by the company. It’s natural.

To strengthen cybersecurity, organisations can address human error through education, training, and fostering a strong security culture. Making it easier to do the right thing, can reduce the occurrence of common mistakes.

In honour of Cybersecurity Month, let’s consider how an organisation can support its employees in their day-to-day contribution to the company’s cyber security stance by embracing the power of process.

Make it Easier to get it Right 

Sharing passwords and encryption keys alongside encrypted documents is more common than you think. Often, these pieces of sensitive information end up in the same email and saved in the same location by the recipient. They may think it’s acceptable because it’s within their secure internal network, but this is risky behaviour that can lead to costly breaches.

Well-structured processes and clear procedures for handling data are essential and can act as a shield against human error. By combining education and training with user-friendly tools like password vaults, multi-factor authentication, secure communication channels, access monitoring and digitally verifiable approvals you can mitigate the risk of human error.

Regularly Rethink Security Protocols

Let’s say you have the latest technology and top-notch security procedures in place. Here’s the thing: even with 100% security at a given moment, it’s only temporary because technology and attack methods are changing all the time. To stay ahead and keep your organisation’s security on point, regular review and redefinition of protocols and processes are crucial.

At BizCubed, we’re all about processes, so becoming ISO 27001 certified has been a natural fit. It provides us with a structured risk assessment framework that perfectly aligns with our data engineering methodology. We appreciate the rigor and the recognition that technology, security, and risk are constantly evolving.

That’s why regular review, assessment, and updates are vital and why establishing this process is part of future proofing the business. We stay informed about new risks and anticipate future challenges to keep your data safe.

What about when Process is not followed?

To effectively mitigate human error, companies must enforce structured processes. Setting clear guidelines for handling sensitive data minimises the chance of slip-ups. Inserting tools, approvals and digital steps along the process can help but mistakes will happen, and people find workarounds.

Processes must be enforced, but taking a punitive approach is not advised. Of course, if an employee wilfully breaches protocol over and over again at risk to the business, that becomes a performance management issue to be dealt with.

But generally, when it comes to mistakes like skipping steps in a cyber security process, it is good idea to address breaks in protocol and process as opportunities for education and reinforcement of the critical role that each employee plays in the company’s cyber security stance. When errors occur, open discussions help everyone understand the root causes and develop strategies to prevent recurrence.

The objective should be to create a culture in which admitting to mistakes and reporting potential security breaches is encouraged. You don’t want employees to hide their mistakes for fear of repercussions, because when a cyber-attack happens you want to know about it as quickly as possible.

Process is for Leadership, too

Cyber criminals have pretended to be business leaders sending what looks like a real company email coming from within the secure network to trick accounts payable into making large payments to fraudulent recipients. They have pretended to be senior staff members calling in to the help desk to have their passwords reset, even though they’re not following the usual company process and protocol.

These kinds of tactics work for a number of reasons, not least of which because it’s widely considered that the rules need not apply to those at the top, or near the top.

Business leaders, as role models, can play a pivotal role in shaping a robust and resilient security culture by demonstrating that they adhere to the same security protocols they expect employees and clients to follow.

Zero Trust: The Future of Cybersecurity

Again, you want people to feel that they work within a secure environment, but you absolutely do not want that to lead to a relaxation of security protocols.

These days it’s advisable to veer ever closer towards a zero-trust approach to cybersecurity.

By establishing processes, supporting process with technology and security protocols, making it easy for employees to do the right thing, and adopting a zero-trust approach, organisations can significantly enhance their cybersecurity stance.

Business leaders play a crucial role in shaping the security culture, and regular risk assessments ensure that security measures remain effective. Ultimately, a process-driven approach that encourages transparency and continuous improvement will make your business more resilient in the face of cyber threats.

Remember: Cybersecurity is a shared responsibility, and the right processes can transform your employees from potential liabilities into powerful assets in the fight against cyber threats.

 

Portrait of Maxx Silver
Andrew Cave

Andrew Cave is a senior data engineer with BizCubed. He has worked in network data, billing, telco credit and debt after a career in the welfare sector. He loves databases. Follow him on LinkedIn

More blog posts

ESG Reporting Nirvana Now Within Reach

BizCubed launches ESG123 – An advanced data engineering services suite designed to streamline reporting compliance and enable sustainability teams to turn ESG into a strategic advantage. BizCubed, a...

read more