Blog / Defending Against Human Error
It’s Not an Entirely Unwinnable Battle
Last week we talked about network segregation, and in that article (as well a few others like this one) I discussed some high-profile data breaches. I did this partly to help others understand what a breach actually is, but also to shine light on some less well-known causes of them. After all, when it comes to cybersecurity and protection it’s easy to wind up focusing on the electronic aspects. Unfortunately, that means it’s just as easy to overlook other, bigger problems. This particular elephant in the room is of course, human error.
The Role of Human Error in Recent Attacks
One specific example I brought up last week revolved around a Japanese city subcontractor that lost a USB drive full of confidential city records in a bar. In a similar vein, I’d like to bring up another article I ran across, this time about a police database of 1 billion records found for sale on the Dark Web. And how did this catastrophic “hack” happen? The login credentials for said database were accidentally posted in a blog. It didn’t take long for someone to connect using otherwise legitimate credentials and download the cops’ entire 23 TB (that TERABYTE with a ‘T’ database.
Then there’s the sad story of the hotel chain that just can’t seem to get it right. A recent report from the Mariott revealed that they’ve been breached, again. For those keeping score, this is the third time they’ve suffered a successful attack in just over four years. It’s difficult to maintain that kind of record without human error being involved. Indeed, the most recent leak was caused by a socially-engineered attack wherein the hacker impersonated someone (maybe a Microsoft representative) and convinced the user to follow a bad link, install infected software, or reveal credentials or other sensitive information that can be used to gain access. So again, human error.
So What’s the Answer?
Of course, people are just people, and while we’re all good at something, we’re also going to inevitably screw up. So the reality is that human error will never really be eliminated, at least not without, well, eliminating all the people and that hopefully will never happen.
That doesn’t mean we can’t do something about it though. There are two tools that can be easily leveraged here. The first is training. Educating your people so they know what to expect while using software and what’s abnormal behaviour will improve their ability to identify when something is wrong.
Another tool available to every organization are the variety of policies you’ve got in place, right? Having solid acceptable use and other security or device policies that are reasonable, well-thought out, and properly communicated to employees will help ensure everyone understands what activities are acceptable and what processes to use when dealing with potential social hacks well as other situations involving a suspected breach or malware. Strong policies, even when not required by law or other industry standards, provide organizations with at least some level of security while not requiring significant investments in time, resources or money.
If you’d like help with training your staff or drafting acceptable use policies, please contact your TRINUS account manager and we’ll be happy to help out.
We’ll wrap up this week with a quote from A Comedy of Errors, where you’ll find this week’s Shakespearean quote; “When the sun shines let foolish gnats make sport, but creep in crannies when he hides his beams.”
Courtesy your friendly neighbourhood cyber-man.