September 2, 2014 By Fran Howarth 4 min read

All humans make mistakes. One of the most intriguing findings from IBM’s “2014 Cyber Security Intelligence Index” is that 95 percent of all security incidents involve human error. Many of these are successful security attacks from external attackers who prey on human weakness in order to lure insiders within organizations to unwittingly provide them with access to sensitive information.

These mistakes are costly since they involve insiders who often have access to the most sensitive information. According to research by Federal Computer Week cited in a recent Vormetric report, the greatest impacts of successful security attacks involving insiders are exposure of sensitive data, theft of intellectual property and the introduction of malware. The research also reported that 59 percent of respondents agree that most information technology security threats that directly result from insiders are the result of innocent mistakes rather than malicious abuse of privileges.

The Threats of Inadvertent Human Error by Insider Mistakes

One of the leading errors made by insiders is sending sensitive documents to unintended recipients. This is relatively easy to solve by deploying security controls to monitor sensitive information being leaked out of the organization. Once considered complex to deploy, these controls have been made considerably easier to implement by vendors in recent years. This has dramatically reduced the level of user involvement required and increased the use of such controls.

These tools can also prevent users from engaging in inappropriate behavior, such as sending documents home via email or placing them on file-sharing sites or removable media such as USB sticks. Lost or stolen mobile devices are also a major concern that is exacerbated by the growing trend toward the use of personal devices. Again, there is technology available to help organizations police what happens to data stored on devices that even allows sensitive data to be remotely wiped to prevent it from falling into the wrong hands.

Human error is also a factor in other security incidents caused by insiders who are the most trusted and highly skilled, such as system and network administrators. According to IBM’s report, some of the most commonly recorded forms of human error caused by such employees are system misconfigurations, poor patch management practices and the use of default names and passwords. There are a number of security controls that organizations should explore to guard against such threats.

Read the IBM research report: Battling Security Threats From Within Your Organization

Successful Security Attacks Exploit Human Interest Factor

The human interest factor is also being exploited by attackers and plays a large part in successful security attacks seen today, but it is not always attributed to mistakes made by insiders. Many of these attacks involve social engineering techniques to lure individually targeted users into making mistakes. According to Verizon’s “2013 Data Breach Investigations Report,” 95 percent of advanced and targeted attacks involved spear-phishing scams with emails containing malicious attachments that can cause malware to be downloaded onto the user’s computing device. This gives attackers a foothold into the organization from which they can move laterally in search of valuable information, such as intellectual property.

However, there is evidence that users are perhaps mending their ways and not falling prey to such nefarious activity. Verizon’s 2014 report found that the proportion of successful security attacks using this method has fallen to 78 percent.

Is this drop because users are becoming more savvy and are less likely to be lured into making such mistakes, or are attackers changing their tactics? It would appear that the latter is true since Verizon’s 2014 report found a sizable increase in the use of strategic Web compromises as a method of gaining initial access. Malicious URL links contained in emails have long been a major vector of attacks, but users are becoming much more aware of such antics — perhaps heeding advice not to trust such links, but rather to type URLs manually into browsers.

Today, legitimate websites are increasingly being hacked since they are just the sort of websites that users would routinely trust. However, compromised websites are also being used in attacks that target the interests of specific users or groups. There has also been a particular increase in so-called watering hole attacks — so named because they mimic the tactics of animals lying and waiting for their prey at the watering holes they are likely to visit.

Technology Alone Is Not a Panacea

As with the errors made purely by users themselves, such as inadvertently sending sensitive data out of the organization, there are technologies available for organizations to help safeguard themselves against external factors that target individual users in hopes of causing them to make errors.

People, Processes and Technology

It is often said that any successful organization must focus on people, processes and technology in equal order. Technology provides automated safeguards and processes to determine the series of actions to be taken to achieve a particular end. But even organizations with strong security practices are still vulnerable to human error. Oftentimes, there is insufficient attention paid to the “people” part of the equation. To stem errors made through social engineering and to raise awareness of the potential caused by carelessness, technology and processes must be combined with employee education. This way, employees are aware of the threats they face and the part they are expected to play in guarding against them. Keeping organizations safe relies on constantly educating employees about identifying suspicious communications and new possible risks.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today