Human error in cyber attacks is one of the main drivers, accounting for about 80% of the total incidents. Cyber attacks have become a major concern for businesses, as they are a significant threat that could jeopardise the future of the company in many ways. Loss of customer base, profit, increased expenses and potential legal trouble are all pain points organisations want to avoid. Unfortunately, that is not always possible. Tackling each risk area one by one is a great strategy for minimising cyber attacks and human error is currently the biggest risk.

Human error: Can it be reduced?

Companies cannot control their employees 100% of the time. When trying to find solutions for human errors it is important to remember that while companies can take steps to reduce the chances, they will most likely not eliminate cyber attacks. Hence, it is crucial to have that in mind when brainstorming. How can a company develop more effective strategies?

There are a few ways that include:

  1. Talking with employees
  2. Conducting an analysis
  3. Prioritising the biggest threat
  4. Encouraging better communication and reporting

1. Talking with employees

Human error takes place because of employee mistakes. It is then crucial that they are included in the creation of prevention strategies. They know when instructions are unclear, when training is ineffective and what issues sensitive tasks can pose. Employees can have very helpful suggestions when it comes to minimising human error, that employers may not have thought of. It is always beneficial to have more stakeholder perspectives in the decision-making process as it can prove more fruitful. 

2. Conducting an analysis

Companies should look at competitors, organisations in similar industries and the wider business world to figure out where and how a cyber attack could happen. What is the most common human error? Under what circumstances does it happen? After an external analysis is completed, an internal one will be necessary to detect weak points that the business will need to address. Risk assessments can look at the business as a whole and each department separately to yield better results. 

3. Prioritising the biggest threat

Once the business has identified its vulnerabilities, it needs to address human error in those areas. It is crucial to remember that this process might take time and will probably not happen overnight. Employees may take a while to adjust to new guidelines and expectations and some aspects may not be clear. Employers need to be patient but consistently enforce new rules. 

4. Encouraging better communication and reporting 

Human error is unavoidable. Humans make mistakes and eventually, something will go wrong. However, the fear of being the one who messes up can drive employees away and make them hesitant to speak up. If staff do not disclose information, such as a misstep, oversight or possible vulnerability, then the business is exposed to unnoticed threats. Explain to employees that they need to come forward with any information they have as early as possible. The consequences that may follow will be worse for the company the longer time it takes for a report to be submitted about a concern. 

The way companies can improve communication and reporting will vary depending on the type of company and work culture they are trying to create. Is your company strict or friendly? Are employees encouraged to socialise and spend time away from work or is work the priority? Similar questions can determine how communication can be improved. This will help in implementing human error prevention strategies.

human error

Strategies for reducing human error

Human error is, by definition, accidental and not deliberate – thus the steps to prevent it are different from the steps you’d take to prevent malicious insider threats. Employees are caught off guard and fall for a scam or forget to take security measures. Hence, it can be difficult to predict the future, because it involves predicting human actions. However, there are some well known strategies companies can implementation to reduce the chances of human error leading to a cyber attack.

These include:

  1. Employee training 
  2. Password management
  3. Two-factor authentication 
  4. Software updates
  5. Risk-aware culture
  6. Data back up 

1. Employee training

Conducting regular training sessions for employees to educate them on best practices for cyber security can go a long way in reducing human errors. These sessions should be mandatory and scheduled at different times throughout the year. They should contain potential scams, cyber attack examples and response plans that explain what should happen in the worst-case scenario. This will not only give employees a clear idea of what they should expect but will also give them instructions on how to handle the situation. This reduces the time between a risk materialising and the management team being notified. 

2. Password management

Organisations should ensure that employees have strong passwords and that they change them regularly to reduce the risk of password-related errors. Employees should not write down their passwords in a publicly accessed notebook, and if possible, they should not write down their passwords at all. If they prefer to save their passwords online, then password-protected software should be chosen that uses a master password. The ideal scenario would require employees to have strong passwords they remember and do not share with anyone else. If they do need to share a password, then they need to do it using various and secure channels that would reduce the chance of sensitive information falling into the wrong hands. 

3. Two-factor authentication

Implementing two-factor authentication can provide an additional layer of security that can assist in preventing human error-driven cyber attacks. Many online services require users to have a separate app on their phone that will authenticate their identity. Businesses should have similar two-factor authentication procedures for systems that store confidential information.  It could be as simple as answering some questions only the employee knows the answer to. Polonious offers two factor authentication via a few methods – email, SMS, or Google Authenticator.

4. Software updates 

All software the business uses should be kept up to date to help prevent cyber attacks. The possibility of human error can be reduced by fixing vulnerabilities that could be exploited by criminals. The fewer tasks employees have to worry about, the less likely it is for a cyber attack to occur. This is why software should be set on automatic rather than manual updates. This way, all key software remains up to date with patches for identified vulnerabilities without users needing to remember to check for patches and updates.

5. Data backup 

Regular data backups can help ensure that data is stored securely and confidentially. Each department should have storage, such a cloud-based software, that allows them to save their files without other departments having access to them. The company should stress the importance of backing up all documents in that software, to protect the organisation and its stakeholders. This strategy will reduce the chance of human error where file confidentiality is involved. It will make data breaches less likely if employees do not save sensitive files in their personal devices.

6. System level controls

As mentioned above, the fewer tasks employees have to worry about, the less vulnerability there is for a cyber attack. So, you should use system controls to ensure a baseline level of safeguards even when employees forget or make mistakes. For example, you can set an automatic logout on important systems so that a user is logged out if they are idle for more than 10-15 minutes. This ensures the user gets logged out when they leave their computer, even if they forget to do so themselves.

7. Risk-Aware culture

Cyber attacks can take many forms and it is very important for companies to warn employees outside of training sessions. Circulating emails, sharing articles and warning colleagues of potential scams, phishing attempts and fraud is necessary for reducing the chance of human error. If employees know what the latest cyber attack attempt can look like then they will be more alert and less likely to fall for a scam. Emphasise the importance of being sceptical; If employees are unsure of whether an email or request is genuine, then it is better to send a message, call or ask their colleagues through a different channel. It is important to build a proactive risk culture because the people who are best placed to identify potential risks are front-line staff, not just the risk managers.

Remember

Cyber attacks do not discriminate. Companies of any size, industry and country are vulnerable to cyber criminals. Our customers know this and this is why they choose Polonious to help them investigate any potential threats. We assist our clients with case reporting, automating their processes and providing them with the necessary updates so they can focus on their core business tasks and the investigation while we handle the rest. We are ISO 9001 and ISO 27001 certified, and we are committed to giving our customers a high-quality system that helps them cut costs and prevent cyber threats. Do you want to see how our system works? Book a demo!