The Role of Human Error in Successful Security Attacks

The Threats of Inadvertent Human Error by Insider Mistakes

One of the leading errors made by insiders is sending sensitive documents to unintended recipients. This is relatively easy to solve by deploying security controls to monitor sensitive information being leaked out of the organization. Once considered complex to deploy, these controls have been made considerably easier to implement by vendors in recent years. This has dramatically reduced the level of user involvement required and increased the use of such controls.

These tools can also prevent users from engaging in inappropriate behavior, such as sending documents home via email or placing them on file-sharing sites or removable media such as USB sticks. Lost or stolen mobile devices are also a major concern that is exacerbated by the growing trend toward the use of personal devices.

Human error is also a factor in other security incidents caused by insiders who are the most trusted and highly skilled, such as system and network administrators. Some of the most commonly recorded forms of human error caused by such employees are misconfigured systems, poor patch management practices and the use of default names and passwords.

Successful Security Attacks Exploit Human Interest Factor

The human interest factor is also being exploited by attackers and plays a large part in successful security attacks seen today, but it is not always attributed to mistakes made by insiders. Many of these attacks involve social engineering techniques to lure individually targeted users into making mistakes. Advanced and targeted attacks involved spear-phishing scams with emails containing malicious attachments that can cause malware to be downloaded onto the user’s computing device. This gives attackers a foothold into the organization in search of valuable information, such as intellectual property.   

Today, legitimate websites are increasingly being hacked since they are just the sort of websites that users would routinely trust. However, compromised websites are also being used in attacks that target the interests of specific users or groups. There has also been a particular increase in so-called watering hole attacks.

People, Processes and Technology

It is often said that any successful organization must focus on people, processes and technology in equal order. Technology provides automated safeguards and processes to determine the series of actions to be taken to achieve a particular end. Oftentimes, there is insufficient attention paid to the “people” part of the equation. To stem errors made through social engineering and to raise awareness of the potential caused by carelessness, technology and processes must be combined with employee education. This way, employees are aware of the threats they face and the part they are expected to play in guarding against them. Keeping organizations safe relies on constantly educating employees about identifying suspicious communications and new possible risks.

Breaking The Compliance Mindset

Addressing security threats requires a new direction from the mindset that compliance equals security.  While compliance is a requirement for many organizations, compliance does not equal security. I was recently talking to a CISO who has divided his department into two teams – one focused on security and the other focused on compliance. The security team deals with emerging threats to the network, while the compliance team deals with regulations. It’s an interesting strategy, and one that reflects how separate compliance and security concerns have become.

Security awareness has traditionally been associated with the compliance side of security, but to be truly effective, it needs to focus on current threats and evolve with the threat landscape.

Compliance is useful in that it forces organizations to focus on security, but security departments should no longer view compliance as anything more than what it is – the floor, not the ceiling. Depending on your requirements, you may have to require awareness training to be compliant. Organizations often achieve compliance through annual training or assessments that have little positive impact on an organization, and can sometimes create a negative perception of security awareness. Compliance-driven training will only require that you prove people have completed the training, it won’t require any proof that employees can apply information provided during training. Checking off the security awareness box on your compliance checklist is necessary and it may feel comforting, but it’s a false sense of security.

I understand that compliance is not going away, and that for many CISOs addressing it consumes a large part of their budget and time, so how do you break out of the compliance mindset? For security awareness, start by presenting training material that addresses relevant and emerging threats. Training employees on topics like password complexity overloads them with information that does little to improve security. Training on topics like this may be an easy way to fulfill compliance, but training that empowers your employees by giving them knowledge they can apply will truly improve your security posture. Regulations fail to address security concerns because they are rigid and don’t adapt to new tactics; however, users can be trained to be dynamic threat detectors.

Just as organizations have unique needs; humans have different needs as well. Applying a one-size-fits-all approach to training will meet compliance needs, but it won’t be as effective as continuous training with multiple education modes; thus appealing to a variety of learning styles. Your security awareness program needs to evolve beyond annual training into a living, continuous program. Make security awareness part of your organization’s culture by conducting training periodically and varying the presentation of that training content to ensure you resonate with everyone in the organization.

While compliance struggles to keep pace with emerging threats, security awareness that succeeds in improving employee behavior could keep you ahead of the curve. The adversaries are dynamic, creative humans, having security-aware employees with the skills to identify anomalous activity as a strategic objective will go much farther than checking the box.  It’s time companies moved away from the “I have read and understand” model, and instead move employees into a “I have read, watched, performed, been assessed, and can prove that I understand” mindset. One size definitely does not fit all, and I one question tests prove nothing.