Human error plays a huge role in data breaches; read on to find out how automation could be the key to minimising this risk.
We all make mistakes; afterall, we’re only human. In the ‘normal’ world, mistakes are a brilliant way to learn and grow. However, in the cyber world, mistakes can be detrimental to the longevity of a business.
Despite the enormity of their impact, mistakes due to human error happen regularly in cyber security; in fact, a report by IBM found that human error was responsible for 95% of successful security attacks. And yet the capacity for human error continues.
Automation could be the key to avoiding human error and data breaches. By introducing automation to key cyber security processes – and removing the opportunity for human error entirely – a company could potentially a lot of security breaches.
Here we explore why – and how – you should be leveraging automation to deliver InfoSec to your business.
Human factors and data breaches frequently go hand in hand.
Human error within the context of cybersecurity isn’t quite the same as human error in a day to day context. The term refers to the unintentional actions – or lack of action – that could cause, allow or spread a cyber attack and security breach.
The level of human error can differ enormously. It could be something as seemingly harmless as not creating a strong enough password, to downloading a malware-infected document to a company system. On the operational side, it could be missing a key step in a complicated delivery process that leaves a piece of technology prone to attack.
There has been a huge amount of research carried out on the links between human error and cyber attack.
- Verizon found that 90% of data breaches were due to human factors in 2019
- Kaspersky reported that 88 – 91% of breaches of public cloud infrastructure was down to human error
- Proofpoint said that human factors led to 99% of compromise attempts in 2019
The numbers don’t lie; employee cyber behaviour can be responsible for serious hack attacks.
What are the types of human error we see in InfoSec teams?
There are countless opportunities for human error in a cyber setting, but there are common themes that tend to inch individuals towards these types of mistakes.
Often, several teams will be involved underneath an InfoSec function. These teams will be required to work with one another on projects as well as BAU work; this calls for some serious organisation and awareness. Whether it is up to one person or a series of figure heads, teams will need to ensure that the right people are involved with the right projects and that priorities are well understood and aligned with business objectives..
Unsurprisingly, leaving this up to human judgement poses a lot of risks. An important member of staff (who could hold integral information necessary for the InfoSec to run smoothly) may be forgotten, or the rest of the team may not even be aware of what their role encompasses and what knowledge they could bring to the table. Similarly, an entire team could be omitted, marking gaps in the overall protection of the company.
Especially in an environment as fast paced as InfoSec, it is unrealistic to expect any individual to have an all-encompassing overview of the relevant parties and staff members that need to be involved in a cyber security project or ongoing work.
Performing assurance is a big part of onboarding new platforms and applications; it ensures that new elements are compliant to company policy and industry standards. This is a crucial job… but it also has an enormous potential for mistakes.
When staff members have to manage this using manual processes and spreadsheets, you will likely find yourself with varied results; and when it comes to compliance, this is something you want to avoid like the plague.
Alternatively, automating the parts of the process so that your team can more easily align your technology to industry standards and company policy will enable a streamlined process that is reliable and consistent every time. The result? Far better compliance and considerably less risk.
Frequently, InfoSec teams work in silos – there is a “them and us” mentality throughout the organisation, which culminates in miscommunication and a disconnected, undervalued culture.
This can lead to a resistance from staff members to share relevant information with the InfoSec team… especially when they don’t even know what is and isn’t relevant!
Ultimately, it comes down to embedding your InfoSec team within the organisation. A great way to do this is by having a simple, efficient way for internal customers to engage with the cyber team will ultimately lead to better relationships.
This communication channel can be used to raise awareness and weave learning into the process, so that internal customers can skill up on why InfoSec is crucial, what it actually does and how it benefits the entire company.
This enhanced understanding will allow for a more collaborative approach to company security, and a better awareness of what is expected of customers.
Is automation the answer to human error within InfoSec teams?
Yes…. and no.
While automation can be a brilliant driver when it comes to eliminating the possibility of human error, it should be used in conjunction with regular process reviews and evaluation; it is vital that InfoSec teams understand what is expected of them, and automation can help support a more consistent approach that is measurable and can drive improvement.
As more and more businesses transition online – and the threat of cyber attacks increase – we believe the smart companies will take full advantage of automation and collaboration solutions to enhance their cyber security team operations and help their team be more effective in protecting the business.