Cybersecurity awareness training is key to mitigating cyber hacks caused by ‘human error’
Cyber threats are constantly evolving as hackers are devising new strategies and methods to exploit weaknesses within digital systems. While hackers have a huge arsenal of technological tools to exploit digital infrastructure, they often don’t need to take such extreme measures to get what they’re looking for. In fact, the World Economic Forum shared that 95% of all cybersecurity incidents are a result of human error.
In many situations, employees unknowingly give hackers information they need to achieve their goals—all it takes is a quick Google or social media search. Even organizations with multiple layers of cutting-edge cybersecurity software and advanced monitoring services can still fall victim to cyber attackers as a result of human error.
The surge of remote and hybrid work environments has complicated matters further, as research shows 33% of companies fail to provide any cybersecurity awareness training to users who work remotely.
With economic uncertainty lingering worldwide, businesses cannot afford to let hackers put their financial success at risk. Executive leaders must prioritize a security-centric culture and provide employees with the information they need to reduce the probability of a successful attack.
The consequences of human error
Numerous organizations have experienced financial and reputational harm after attackers managed to exploit unsuspecting employees. Despite having robust security measures in place, human error has allowed hackers to compromise victims’ systems using relatively simple techniques.
- D.C. Health Link was hacked in April 2023 after an unauthenticated user gained access to sensitive user information due to using a reused password stored in log files.
- Casino operators MGM and Caesars fell victim to ransomware in September 2023 after an IT employee gave access to company IT systems due to a successful social engineering attack from hackers.
- Colonial Pipeline fell victim to one of the most high-profile ransomware exploits ever recorded in June 2021, due to an employee’s VPN login password leaking on the dark web, as well as a failure to implement multi-factor authentication.
Common cybersecurity mistakes
In 2023, malicious links in emails jumped by 144% over 2022 and accounted for more than 30% of all cyberattacks, while over 43% of all cyberattacks were phishing exploits. Considering the prevalence of hacks and tricks that focus on employee mistakes, executives have good reason to increase employee security posture.
Below are some of the most common cybersecurity mistakes employees make when working both onsite and remotely.
- Phishing emails and suspicious links: The sheer quantity of emails that employees receive each day can make it difficult to notice suspicious activity, especially with generative AI improving hackers’ messaging skills and persuasiveness. As a result, untrained employees can be susceptible to phishing emails asking for sensitive information, or opening links that contain malicious software.
- Outdated software: Hackers are notorious for exploiting vulnerabilities within software. When they discover vulnerabilities, they will work tirelessly to take advantage of the situation while developers patch the issue. It’s also worth mentioning that the amount of time developers have to respond to a vulnerability before being exploited by threat actors is becoming shorter. This is one of the reasons why it’s critical to install software updates as soon as they’re available. Mature IT organizations will have automated patching of critical software setup. However, some organizations forget to monitor these automated patch jobs, or they opt for manual patching. The problem with manual patching routines is that many employees wait or even forget to install software updates and put their organization at risk.
- Weak and overused passwords: Most executives are well aware that weak passwords can make it easy for hackers to gain unauthorized access to workstations and applications. But many employees continue to use weak passwords for easy recall and convenience, with some even sharing the same passwords for different account logins. When an attacker manages to guess the password, or retrieve it through social engineering, hackers may be able to broaden the scope of their attack with minimal effort by launching credential stuffing attacks using the recycled passphrase(s).
- Unsecured public Wi-Fi: Since the end of the pandemic, many organizations have embraced remote work setups, allowing employees to work from virtually any connected location. While employees have benefited from the flexibility and work/life balance, it has also increased business risks for those failing to take proper precautions. Employers may find that employees are working on vulnerable public networks that are prone to Adversary in the Middle (AitM) attacks that allow for information snooping and can ultimately allow hackers to compromise company devices in some situations.
- Unlocked computers: It’s still very common for employees to walk away from their workstations without locking their computer screen. This can be an especially risky move in public settings, but also unwise in office settings. If left unattended, unwelcome visitors or prying colleagues could potentially take advantage of the workstation, access and steal sensitive information within, or even upload malicious software.
- Sharing devices and credentials: Sometimes employees share their devices or account details with their colleagues without thinking twice about the consequences. This type of behavior can enable insider-threat situations and allow unauthorized access of information that one of the offending users may not be authorized to view. Additionally, sharing credentials across communications platforms could be intercepted by hackers, enabling them to gain access to digital infrastructure.
The value of a ‘human firewall’
Some executives might be under the false impression that their organization would be an unlikely target for hackers. For instance, they might believe that a small company size would make them less susceptible to an attack. Or they might believe their organizations’ industry would never appear on an attacker’s radar. In reality, hackers don’t discriminate; they’ll exploit any organization that has the money or data they’re looking for.
Cybersecurity software and monitoring services can safeguard organizations from sophisticated attacks from outside threats. However, those safeguards mean little when employee negligence allows attackers to bypass those measures. For this reason, executives should prioritize the ‘human firewall’ philosophy as part of their cybersecurity strategy.
The general idea behind this concept lies in employees being the first line of defense against cyberattacks. Executives can strengthen the effectiveness of their human firewall by prioritizing a security-centric company culture that embraces the triad ‘mindset - skillset - toolset’.
- Mindset: Educate employees so they understand the current threat landscape. This is critical and yet is often overlooked.
- Skillset: Regularly train employees on how to spot attacks, as well as a strategy on how to quickly address a potential hack or breach.
- Toolset: Provide employees with the tools they need to keep their workstations shielded, as well as resources for reporting suspicious activity.
To start building an effective human firewall, executives should provide ongoing automated security awareness training. Other best practices include:
- Requiring employees to use complex, unique passwords for all accounts. Multi-factor authentication should also be implemented for maximum security.
- All company devices should be locked and password-protected when they are not actively in use, both on site and remotely.
- Employees should avoid using unsecured public Wi-Fi whenever possible. If this can’t be avoided, a VPN should be used for added protection.
- Software updates must be implemented as soon as they’re available.
- External email addresses should be reviewed before communication begins.
- Unsolicited emails with links or attached files should be met with extreme caution. Employees should immediately notify IT support when unsure about an attachment.
Cybersecurity infrastructure can do wonders for keeping organizations protected from criminals. But with such a high percentage of incidents being a result of human error, company-wide cybersecurity training should be treated as an equally important line of defense against hackers.
Executives who want to keep their organizations protected against cyberattacks must prioritize security awareness training to reduce the likelihood of human error contributing to successful hacks.
Andy Syrewicze, Security Evangelist at Hornetsecurity ([email protected])
Andy is a 20+ year IT Pro specializing in M365, cloud technologies, security, and infrastructure. By day, he's a Security Evangelist for Hornetsecurity, leading technical content. By night, he shares his IT knowledge online or over a cold beer. He holds the Microsoft MVP award in Cloud and Datacenter Management.