As with most things in life, it is always the more daring, sophisticated and, dare we say it, glamorous aspects of cybercrime that attract all the headlines.
The audacious hacks that steal industrial volumes of personal data from major institutions. The state-sponsored acts of cyber espionage that compromise the national security of a rival. The deviously cunning pieces of malware that spread like wildfire through online systems and cause damage on a global scale before anyone seems to know what is happening.
The reality of most cybercrime, however, is much more mundane. Far from depending on exceptional coding skills and sophisticated understanding of digital systems, most would-be hackers and data thieves rely on something much more straightforward – opportunism. And most of the time, the opportunities they exploit come as the result of human error.
The statistics couldn’t be more clear. According to data from the Information Commissioner’s Office (ICO), a staggering 90% of cyber data breaches in the UK in 2019 resulted from human error – a marked increase on the previous two years. Even more sobering, according to the Ponemon Institute, the average cost of a data breach per organisation is some $3.5 million.
The reason why so many cyber breaches are caused by human error probably boils down to the fact that human agency plays a role in data/cyber security in ways we often don’t even realise. The famous WannaCry ransomware attack of 2017, for example, is widely considered a very sophisticated piece of malware engineering. But not only did it exploit a known vulnerability in Windows systems, even when Microsoft rapidly released a patch, it took many companies months to run it. The whole crisis was therefore exaggerated by poor cybersecurity protocols on the part of thousands of organisations that ended up being affected.
The human impact in data security
In terms of classifying the types of error that lead to cybersecurity breaches, the above would fall into the category of ‘misconfiguration of assets’. This is a common class of human error which covers everything from disabling security features within programmes (unintentionally or otherwise) to the broad issue of ‘shadow IT’, or employees downloading/using unauthorised software that create holes in the cybersecurity fabric.
By far the most common mistake that leads to cyber data breaches is so-called ‘social engineering’, of which phishing is the prime example. Social engineering breaches involve a malicious agent actively trying to trick their way through cybersecurity defences. Examples include the use of scam emails with malware attachments that download when clicked, or the use of imitation web pages that con people into submitting account and access details. The key point is, phishing only works if somebody, somewhere falls for it and takes the prompted action. According to the ICO, phishing accounted for nearly half of all breaches in the UK last year.
Other common errors that lead to data breaches include use of weak passwords and poor authentication protocols, especially on the most sensitive accounts. This allows hackers to carry out what are known as ‘brute force’ attacks, or gaining access simply by guessing the security and access credentials.
Then there is the whole area of people mishandling sensitive data. This covers everything from sending emails to the wrong recipients to losing digital storage devices, leaving workstations open while they are logged in to a sensitive account or sending/communicating data over unencrypted channels. In the era of GDPR, simply failing to protect sensitive data (particularly any personal identifying information) is enough to land an organisation with a heavy fine, even if nothing is stolen or misappropriated.
The common thread that links all of these examples of human error is, as we have already suggested, a lack of awareness, which stems from a lack of education. Put simply, organisations are not doing enough to train their people in how to avoid data breaches. For example, the GDPR has been in force for two years now, placing a strict regulatory obligation on companies to protect personal data or face stiff penalties. Yet a study from Osterman Research found that only 42% of businesses train their employees in GDPR compliance.
This is all the more perplexing given that a study from cybersecurity giant Kaspersky found that more than half of businesses (52%) acknowledged that staff were their biggest risk when it came to protecting their systems and their data. Given this recognition – and the damaging consequences of data breaches – we might expect investment in cybersecurity training and skills development to be more prominent across the board.