The Threats of Inadvertent Human Error by
Insider Mistakes
One
of the leading errors made by insiders is sending sensitive documents to
unintended recipients. This is relatively easy to solve by deploying security
controls to monitor sensitive information being leaked out of the
organization. Once considered complex to deploy, these controls have been made
considerably easier to implement by vendors in recent years. This has
dramatically reduced the level of user involvement required and increased the
use of such controls.
These
tools can also prevent users from engaging in inappropriate behavior, such as
sending documents home via email or placing them on file-sharing sites or
removable media such as USB sticks. Lost or stolen mobile devices are also a
major concern that is exacerbated by the growing trend toward the use of
personal devices.
Human
error is also a factor in other security incidents caused by insiders who are
the most trusted and highly skilled, such as system and network administrators.
Some of the most commonly recorded forms of human error caused by such
employees are misconfigured systems, poor patch management practices and the
use of default names and passwords.
Successful
Security Attacks Exploit Human Interest Factor
The
human interest factor is also being exploited by attackers and plays a large
part in successful security attacks seen today, but it is not always attributed
to mistakes made by insiders. Many of these attacks involve social engineering
techniques to lure individually targeted users into making mistakes. Advanced
and targeted attacks involved spear-phishing scams with emails containing
malicious attachments that can cause malware to be downloaded onto the user’s
computing device. This gives attackers a foothold into the organization in
search of valuable information, such as intellectual property.
Today,
legitimate websites are increasingly being hacked since they are just the sort
of websites that users would routinely trust. However, compromised websites are
also being used in attacks that target the interests of specific users or
groups. There has also been a particular increase in so-called watering hole
attacks.
People,
Processes and Technology
It
is often said that any successful organization must focus on people, processes
and technology in equal order. Technology provides automated safeguards and processes
to determine the series of actions to be taken to achieve a particular end.
Oftentimes, there is insufficient attention paid to the “people” part of the
equation. To stem errors made through social engineering and to raise awareness
of the potential caused by carelessness, technology and processes must be
combined with employee education. This way, employees are aware of the threats
they face and the part they are expected to play in guarding against them.
Keeping organizations safe relies on constantly educating employees about
identifying suspicious communications and new possible risks.
No comments:
Post a Comment