Executive Summary
- When it comes to cyber security, most businesses are rightly focused on things outside of their business – from crafty criminals to virulent viruses. But the risk can sometimes come from inside, too.
- Human error is one of the most overlooked causes of successful cyber security breaches, and it’s also one of the hardest to control.
- Successfully mitigating cyber attacks based on human error or social engineering isn’t rocket science, but it requires focused effort on the part of the business. In this article, we’ll explain how to do it.
Introduction
What would you say is the biggest risk to your business in terms of cyber security?
Perhaps a large-scale DDoS attack? Or maybe a virus infection across your entire fleet of workstations? It could be that ransomware is your largest concern.
While all of these certainly pose significant risks to the cyber security of UK companies, there’s one type of risk which is present in every business — and it’s tough to tackle.
We’re talking about human error. And, because we’re all human after all, it’s something you should be aware of and understand how to mitigate.
Here’s what you need to know about the human factor in cyber security.
The risk of password management
One of the primary sources of human error in any business comes from existing security measures — especially passwords.
We’ve talked about this in-depth before on the Get Support blog, and for very good reason — passwords can represent a huge security hole.
Whether your employees are logging in to their email account remotely or simply accessing their device, choosing a weak or easily guessed password like “opensesame123” can essentially provide an open-door policy for cyber criminals.
Social engineering cyberattacks
Social engineering is a form of cyberattack which has been on the rise lately, especially since the global pandemic and rise of remote working.
In short, social engineering refers to cyberattacks which rely on deceiving an employee into sharing or giving access to confidential or sensitive business data, or even transferring money directly.
There are a few different variations of this type of attack, including “whaling” (posing as high-level employees to trick colleagues into taking action) and “spear phishing” (targeting a specific person at a company). Regardless of the type of attack, social engineering is the mechanism by which they operate, and they do so on the basis of human conditioning. For example, if we are convinced an email is from our CEO, we are far more likely to take whatever action is requested of us. This is social engineering in action and it takes full advantage of our tendency towards human error.
The role of software updates and patches
The risk of human error doesn’t always involve a third-party like a cyberattacker. In many cases, criminals can simply take advantage of complacency or simple lack of time – as in the case of software updates and patches.
Most of us know that keeping software up to date is essential to prevent cyberattacks, but most of us will also be guilty of postponing the install of updates when the reminder message appears on our screen. The trouble is that, if the patch waiting to be installed contains a fix for a critical security hole, criminals can make good use of the gap between a fix being made available and the user actually installing it.
Luckily, there are plenty of options for businesses looking to prevent these types of security holes, especially if they use a system like Microsoft 365 as their tech infrastructure. We’ll look at this again shortly.
Simple mistakes
The last (and probably most common) form of human error when it comes to business IT is simple, basic mistakes.
These are situations where people just make an error in their day-to-day work — as we all do from time to time. But a typo on a customer email is a lot less damaging than accidentally emailing financial details to the wrong email address. Data can easily be exposed this way and no anti-virus or cybersecurity system in the world will be able to stop it without a system of checks and balances in place — more on this in the next section.
Again, your IT support infrastructure can come to the rescue here, but so can good old-fashioned user awareness training. If you can get your whole team to be more aware of cyber security issues, that’s half the battle won right away.
How to mitigate human error in your business
Now that we’ve looked at some examples of human error in action, let’s get to the good stuff: how to prevent – or at least mitigate – human error in your business.
It should go without saying that human error can never be completely eliminated – “to err is human”, after all. But you can put measures in place to reduce the likelihood of an issue occurring due to human error.
Here are our best practice recommendations:
Implement Multi-Factor Authentication (MFA) for all users
Multi-Factor Authentication, or MFA, is an extra layer of security in addition to a user’s password. It usually uses something like a text message with a unique one-time code the user can input to verify their identity. In this way, any weak or compromised passwords won’t totally compromise your security. That said, you should always implement strict password structure policies in any case.
Host user awareness training sessions
Many of the human errors that take place in a business happen because the user simply wasn’t aware of the risk. It stands to reason, then, making users aware of the various cyber security risks is an essential tactic to mitigate risk. Hosting User Awareness Training sessions will give you the chance to highlight everything we’ve covered in this article along with any other ‘trending’ cyber security or phishing risks employees should be aware of.
Deploy email filtering
Your IT support team and systems administrators have quite a lot of power to mitigate human error, especially when it comes to emails. As we covered in our IT Support Insider: Email Security article, you can deploy Exchange Online Protection (EOP) cloud-based filtering if you’re using Microsoft 365. This acts as a filter which you can configure with individual policies for specific users or user groups.
Need an MSP that understands cyber security risks?
Whether you’re already working with a Managed Service Provider (MSP) and thinking of switching, or if this is the first you’re hearing of these types of security measures – Get Support is here to help.
Our dedicated team of IT support experts have decades of combined experience serving UK businesses. In our decades of operation, we’ve seen every human error in the book and can provide expert IT consultancy on how to properly mitigate these risks or deliver user awareness training.
To learn more about how we could help improve your company’s cyber security, call the team now on 01865 594 000 or pop your details into the form below.