Eliminating the human element to cyber security breaches

June 28, 2019

Defending an organisation against the sophistication and professionalism of modern cyber criminals is not an easy task. Never before have cyber criminals been so well organised and equipped, possessing hacking skills that many enterprises would pay top dollar for.

Such enterprises have begun investing in the right skills and tools to best defend their business against such hackers, but it remains a challenge. It therefore makes it much harder to take, when despite investment in technology and systems, employee error or oversight is then responsible for a data breach or other cyber attack.

What place do human errors have in overall human risk in business, and what can be done to address this?

Is human error on the rise in cyber security?

Human error has nearly always been a factor in cyber security, especially when it comes to data breaches. Whether it’s leaving a device or document on a train, using a personal device on a corporate network, working with a consumer-based file sharing service or sending a document to the wrong recipient – all can and have led to data breaches.

But it feels like such human errors are becoming more frequent, or certainly more high-profile. A recent Oracle report ‘Security in the Age of AI’ revealed that C-Suite executives and policy makers rank ‘human error’ as the top cybersecurity risk for their organisation.

Recent examples of where human error has had an impact include a database misconfiguration at UW Medicine, which exposed almost one million patient records due to a database misconfiguration. Rubrik, an IT security and cloud data management firm failed to provide password protection on a huge database of customer information, exposing information which related to clients such as the UK National Health Service (NHS), Shell and the US’s Department of Homeland Security.

What’s behind human risk?

Whether it’s ignorance, negligence or incompetence, human error cannot be ignored. But it happens, it will always happen, and organisations should focus instead on how best they react to such error. But human risk is different, especially in industries such as Financial Services (FS).

Human risk is based on actions that employees choose to take, rather than mistakes they cannot help. This could be feeling demotivated and not working as hard, or something more serious, such as stealing data. There has been a significant increase in such behaviour since the financial crisis of 2008, according to a study by Oxial partner, the University of Applied Sciences Western Switzerland (Hes-so).

The study involved interviewing executives from European private banks, and found evidence of a rampant neglect and of a lack of leadership, which had led to a toxic corporate culture. Many employees felt dissatisfied and hungry for revenge against those they perceived to be responsible.

The changes banks felt forced to make post-2008 such as mergers, outsourcing or recruitment freezes and downsizing, led to declining margins and higher regulatory costs. To manage this, banks pushed their staff harder, bringing occupational stress and disenchantment.This led to issues such as lower service quality, the loss of decades of experience with the departure of employees and increases in absenteeism. In turn, this increased the instances of stolen data and fraud, which affect a firm’s reputation and even bottom line.

Amplifying the weak signals to address human risk

To address such an important issue, it’s vital for any organisation to have a strong understanding of the mood of its workforce and to be aware of any potential problems. But in a larger firm, this is very hard to do.

That’s where technology solutions such as Oxial’s sGRC can play an essential role, helping to identify and amplify the weak signals in an organisation. Because there is so much data and information in modern business, it can be extremely difficult to notice patterns or trends, such as an employee comment on social media or an aside in a customer interaction.

These weak signals are hard to spot and even harder to take insight from, because they are often isolated snippets of information, and furthermore can be ambiguous, not fully developed or lacking meaning without a wider context. Amplifying these weak signals, can allow a business to spot trends in employee behaviour, and prevent human risk from causing too much damage.

Human error will always be hard to stop completely, although that’s not to say measures can’t be taken to at least partially address it. But human risk is another matter entirely, and with the right approach organisations can manage and mitigate this risk very successfully.

To learn more about how Oxial can help mitigate human risk, please get in touch with us here.