The hidden human risk in your organization
One of the most popular sayings in cyber security is "Hackers target humans, not computers."
Contrary to the Hollywood stereotype of a cloaked hacker 'cracking into the mainframe', most cyber attacks are done using simple trickery and human-based scams.
According to a 2022 report from Verizon 82 percent of data breaches 'involve a human element', or in other words, are at least partially due to human error.
Whether it be falling victim to a phishing scam, downloading a malware virus, or simply re-using the same password across multiple systems, some of the world's largest data breaches have been due to preventable mistakes made by the people within an organization.
And while most human error is preventable, in most cases we don't even get to see it happening until it's too late.
Human error and Shadow IT
In a previous blog post we explored Shadow IT, which means the hidden or unknown parts of your business IT systems.
Common examples of Shadow IT include:
personal Google Docs accounts that staff use to store work documents
personal email accounts used to send work-related communications
non-workplace chat apps such as WhatsApp or Messenger
unsanctioned SaaS apps that staff download and use without permission or administration
For the people in charge of your businesses' IT, Shadow IT often remains undetected and therefore unprotected.
Shadow IT houses a massive amount of human risk simply because IT administrators can't see or control how staff are using business tech and data.
The problem with these commonplace Shadow IT practices is they bypass your businesses security, and create a lot of opportunity for undetectable human error.
For example, if a colleague accidentally leaks something confidential via a personal email or social media account, there is typically no way to track or become aware of the leak. Likewise, if a staff member fell for a phishing scam outside of a sanctioned work account, it can be difficult to monitor and mitigate the damages.
By using apps or accounts without approval from the appropriate IT channels and admin(s), colleagues fall into Shadow IT and create a major risk of human error in the business.
How human risk stays hidden
One of the most prolific, yet underspoken, ways that Shadow IT spreads through the business is through SaaS permissions.
When staff adopt new SaaS apps, such as calendar booking apps or workplace management tools, they're often sharing workplace data and permissions between apps without IT approval.
Many organizations are unaware of the risk this creates, and unknowingly allow the majority of their workers to create Shadow IT blindspots without mitigation.
This exacerbates the issue of human error, as attacks gain the capacity to spread between apps as the result of one mistake.
For example, imagine a worker installs a third-party text editor app on a workplace Google Docs account. If the worker then suffers a password compromise attack to the third-party app, a potential hacker could indirectly access workplace documents as a result.
The more apps and IT appendages our staff add to the workplace, the more room for human error to infiltrate the workplace.
So what's the best way to reduce your human risk?
Four steps to reduce human risk
The best way to protect your IT assets, whether it be reducing human risk or fortifying your technical security measures, is to gain an awareness and understanding of how your systems are used.
WIthout knowing what apps, accounts and general systems are in the workplace, you won't be able to protect them.
To best reduce your human risk we recommend you direct your efforts towards the following four measures:
Discovery: This involves running detective measures across your systems and cataloging the applications and accounts being used by staff. This involves not only checking the apps installed on workplace devices, but also scanning SaaS applications to determine the permissions and OAuth configurations staff have installed against other apps.
Access Control: Once you've scanned and cataloged your IT Systems, it's time to set up appropriate permissions and access control measures. This includes removing excessive access on SaaS environments, deleting redundant user accounts and adjusting permissions so staff and third-party apps can only access the assets required of them. By reducing the permissions allocated to staff you inherently reduce the amount of harm that a potential instance of human error can cause.
Policies and procedures: To reduce the risk of further Shadow IT blindspots, it's important to create and apply policies across the entire organization. Set acceptable limitations and procedures on how staff can use business technology, and what applications they are permitted to use and install. Furthermore, apply general IT policies such as password strength requirements and acceptable email usage across the entire organization to lower the chances of human error.
Awareness training: At the end of the day, there's only so many technical steps you can take to reduce the chances of human mistakes. One of the most essential security steps any business can take is regular staff training. To effectively reduce human risk, cyber security should be a regular component of your organizational culture. Measures such as training videos, cyber security programs and awareness material such as posters can all go a long way in reducing human risk.
In summary, it's crucial for any business to understand the technology in their business and the ways that staff are using it.
In modern cyber security, one small mistake can result in a major data breach. Whether your business is big or small, take the time to facilitate awareness and safe practice across the organization.