Human-Centered Vulnerabilities in Cybersecurity

Technology has traditionally been the focus in cybersecurity, but now experts are saying we need to make a shift in our focus to human-centered cybersecurity.

Of course, with any system, there are flaws. In the case of human-centered cybersecurity, it’s important to know what vulnerabilities you could be facing in your security.

What Are Human-Centered Vulnerabilities?

First, what exactly is human-centered security? When a human is at the center of cybersecurity, this is human-centered security. Your data is most valuable when it’s being used by a person or being displayed. This is also the point at which your data is the most vulnerable.

The point of contact between data and humans is when your data is most valued, available and at risk, so you’ll want to ensure it’s also at its most protected.

Risks of Human Mistakes in Your Information Technology

Humans make mistakes, and when it comes to your sensitive corporate information, these mistakes can have dire consequences. Data breaches can be caused by employees when they:

  • Unintentionally email documents that include sensitive data.
  • Send sensitive data via email to the wrong recipients.
  • Cause unwanted access by misconfiguring assets.
  • Mistakenly publish confidential data on a public website.

While the cost of a human error may not be as expensive as a breach caused by a hacker, the consequences can still be significant. Fortunately, your company can implement new or updated policies and changes to prevent human errors in your information technology.

Top Five Types of Human Error in Cybersecurity

Employees can make mistakes that lead to breaches in data. Human factors in information security should not be taken lightly, as errors in cybersecurity cost millions of dollars to remediate. Human errors in cybersecurity fall into two categories:

  • Skill-based human errors: These are errors that occur while a person is performing a familiar activity or task. They know the correct course of action, but they fail to perform the action correctly because of negligence or a temporary lapse. Often these errors occur when an employee is distracted, tired, not paying attention or experiencing a lapse in memory.
  • Decision-based human errors: These are errors that are caused by a user making a flawed decision. Maybe the user doesn’t have enough information about the circumstances or maybe they make a decision by default through inaction.

The following are the top five types of human error in cybersecurity:

1. Misdelivery

The term “misdelivery” refers to the act of sending something to the wrong person. Carelessness and email features like auto-suggest can lead to employees accidentally sending sensitive information to the wrong person.

Another common mistake that causes misdelivery is putting an email address in the “to” field” instead of the “bcc” field. This skill-based error can cause an employee to accidentally expose the private details of multiple people to one another.

Why is this a skill-based error? Because while the employee knew the correct procedure, they made the error out of carelessness. By not double-checking and comparing what they intended to do with what they actually did before sending out the email, they caused a data breach.

Encourage employees to take their time with emails and double-check email addresses and fields before hitting send.

2. Easy Passwords

Another type of human error in cybersecurity is using easy passwords. Your employees need to use strong passwords to protect data — this means establishing clear procedures for storing, sharing and handling passwords.

Hackers can access accounts if they’re able to guess easy passwords or if they’re able to use a brute-force attack. Examples include:

  • Passwords using simple sequences: Passwords that are patterns found on your keyboard, such as “123456” or “9ijn8uhb,” can be easily guessed.
  • Passwords using corporate or personal data: Passwords that contain this type of data can be susceptible to attacks, as they can be guessed by browing the social network accounts of employees.
  • Passwords using default credentials: These may be already known to attackers or easily cracked through a brute-force attack.

Employees may also store their passwords unreliably. Examples of unreliable password storage include:

  • Failing to encrypt passwords: If you’re utilizing a password manager, make sure it uses a strong encryption. Weak or no encryption at all can put passwords at risk.
  • Exposing passwords: Leaving a sticky note with your password on your desk could leave your password exposed to the public.
  • Leaving Passwords open: Storing passwords in Google Sheets or plain text can leave them vulnerable.

When passwords are handled incorrectly, this can also lead to vulnerabilities and create problems. Examples of incorrectly handling passwords include:

  • Changing Your Password too Frequently:Traditionally it was thought passwords should be changed every 60-90 days. Today you should be using stronger passwords (four random words) and not changing them unless you are made aware of a compromise. There are some banking sites, and some types of insurance that require passwords be changed at least every 180 days, which is acceptable as well
  • Managing passwords incorrectly across multiple platforms: If you use the same password for more than one account or vary just one character in each for several accounts, this could make your passwords and accounts susceptible to an attack.
  • Sharing passwords in an insecure way: Employees may send their credentials to their colleagues through unencrypted messengers, making their passwords vulnerable.

Ensuring your company has a dependable password policy can help your employees avoid accidentally sharing their passwords or improperly storing or handling them.

3. The Use of Outdated Software

Hackers love outdated software, as it’s vulnerable and can be exploited easily. When it comes to outdated software, employees can make a hacker’s job easier by:

  • Disabling software security features: Employees may disable security features of software so they can utilize their work devices for personal use or simplify their work. Employees may download a file from a distrustful website or pause browser security or antivirus features, so they can watch something on a suspicious website. Disabling these features can leave an employee open to a data breach.
  • Ignoring updates for software: Ignoring updates can also lead to data breaches. For example, the security of unpatched software can be breached, and older versions of Windows can be susceptible to ransomware outbreaks.
  • Downloading software that’s unauthorized: Even the software you use to protect your security could pose a risk to the cybersecurity of your company. When the software itself is malicious, it can immediately compromise your corporate data. Even if the software doesn’t have viruses, it could have vulnerabilities that are known by attackers.

Employees may offer excuses for not updating their software, so try using the following tactics to get them on board:

  • Encourage updates: Make it part of your everyday culture to encourage updates. Let your employees know that making the time to take care of the updates is acceptable and encouraged.
  • Include software updates in work schedules: Employees may feel overwhelmed by work tasks and worry about breaking their concentration to perform a software update. Let employees know that updated software is crucial to their work performance and that they can include software updates in their schedule or list of work tasks.
  • Suggest employees perform other duties while they wait: Updates can take some time, so encourage employees to take their breaks when the software is updating or tackle other work tasks that don’t require computer use.
  • Make time to review the new software: Learning new software may seem overwhelming to some employees, so you may want to schedule a presentation time to go over the new software or allow employees time in their schedules to learn the software on their own.
  • Educate employees about the risks of outdated software: Your employees simply might not be aware of all the risks that come with using outdated or unauthorized software or turning off security features, so discuss these dangers with them.
  • Inform employees about the benefits of the new software: Sometimes, workers may prefer using outdated software because they’ve grown used to it. If you let them know about the benefits of this new software, they’ll be excited about the change.

By providing your employees with education on cybersecurity, you can help combat this negligence in your workplace.

4. Unrestricted Access to Information

Those you entrust with unrestricted access to all information can make mistakes too. These mistakes can be quite costly to your organization. Accounts that have high privileges, such as an admin account, often don’t have adequate security controls to prevent misuse.

Admin passwords are infrequently updated — if updated at all — which can leave these accounts more susceptible to attackers. The attacker can then use the credentials from the compromised admin account to access IT systems or the controls of various resources, compromising your sensitive data.

By giving all accounts the least amount of privilege possible, you can help prevent human errors that occur with unrestricted access to information. You can give high privilege to accounts as needed or for a temporary period of time. You can also implement two-factor authentication to provide an added layer of protection. IT employees should also have both administrative accounts and employee accounts.

5. Lack of Cybersecurity Education

Another common human-centered security issue is a lack of education. Employees may want to concentrate their efforts on what they perceive to be their only work responsibilities, but employees who don’t have the education they need about cybersecurity can make your company more vulnerable.

An insider can make an attacker’s job much easier, allowing them to access critical data, steal credentials and introduce malware into an organization’s system. Your employees can end up the victims of malicious applications or phishing attacks, inadvertently giving hackers access to your company’s valuable data.

What mistakes are caused by a lack of cybersecurity education?

  • An employee uses personal devices for work: Do your employees tend to use their personal devices for work-related tasks? What if an employee forgets their personal laptop or smartphone in a public area? If their device gets stolen, the corporate data on that device can be compromised.
  • An employee click on suspicious attachments and email links: Malicious emails are becoming more believable as cybercriminals are becoming more creative and intuitive. These emails end up in a user’s email inbox instead of their spam folder, and these emails can threaten your cybersecurity, as clicking on the links can download a malicious script or lead a user to a fake website.
  • An employee plugs in insecure devices: USB drives and other devices may contain malicious codes that appear after being exposed to an outside network. When employees plug in these devices to your system, they can compromise your organization’s cybersecurity.
  • An employee performs system changes that are unauthorized: An employee may make unauthorized changes to your system to speed up processes or improve the convenience of their work tasks. Not only can these modifications disrupt normal company procedures, but they can also bring down the system.
  • An employee uses a public Wi-Fi network that doesn’t have a VPN: Public Wi-Fi in places like restaurants and hotels can be utilized by hackers. Through the use of public Wi-Fi, hackers can install malware, initiate man-in-the-middle attacks and more. Using public Wi-Fi without a VPN means you won’t be encrypting your connection, leaving you vulnerable.

Cybercriminals know how to appeal to consumers — they present themselves as a tax refund or email service, so they can get access to a user’s email account. They also hide the illegal content with cloud-based storage services and imitate trustworthy domains to evade spam filters.

How to Reduce Human-Centered Vulnerabilities in Your Workplace

To keep your data secure, the best strategy is to avoid employee errors. But with so many possibilities for human errors in the workplace, how do you reduce human-centered vulnerabilities in your organization when using human-centric cybersecurity?

1. Update Your Security Policy

How does your company handle passwords and critical data? Who can access sensitive data and passwords? Which software will your company use for monitoring and security? Your security policy should outline all of your security rules and practices. Revise your policy to ensure the document includes the current best practices.

2. Monitor Employee Activity

You can protect your system against malicious attacks and data leaks by implementing tools that monitor user activity. Through monitoring tools, you can detect and prevent security mistakes caused by employees.

3. Give Accounts the Least Amount of Privilege

Denying all access is one of the easiest ways to secure your corporate data. Allow privilege only on a case-by-case basis for a temporary period of time. Employees should only have access to data that is necessary for them to perform their work tasks, so don’t allow employees to access sensitive data unless absolutely necessary.

4. Instruct Employees on Cybersecurity

Combat skills-based and decision-based human errors through education. By educating your employees on the dangers and costs of their mistakes and the potential threats they should be aware of, your employees can exercise more caution in their work.

Ensure all of your employees are motivated to adhere to the security policy and familiar with the policy. You can accomplish this by giving your employees the knowledge they need about the grave results their errors can cause your organization and emphasizing how these results can affect them.

Reduce Human-Centered Vulnerabilities in Your Workplace With PCS

At PCS, we know that not every company wants to deal with handling IT. That’s why we offer our services to hire, find and direct IT services. We’ll take over the IT challenges your organization is facing, so you can return your focus to running your business.

When we work with our clients, we seamlessly become part of the team. With more than 100 IT professionals, we can provide our clients with the service and support they need. Our solutions are 100 percent customizable to your needs.

Are you ready to get started improving your human-centered security? Contact us at PCS today.

Technology Trends in 2020

Staying in-the-know about tech innovations is essential if you want to stay on top of your industry’s trends. A convergence of factors has IT and infosec professionals abuzz, indicating 2020 is the year several advancements will reach an inflection point and change the ways businesses operate.

In this guide, we’ll discuss the top tech and information security trends of 2020 and which are most relevant to your industry.

Pay Attention to These 11 Technology Trends in 2020

Experts agree: These 2020 tech trends hold the potential to alter the way businesses and consumers interact — internally and with each other:

  1. 5G and Faster WiFi
  2. Computer Vision
  3. Voice Applications
  4. Safer API-Based Systems
  5. More Functional Internet-of-Things
  6. “Flatter” Organizations
  7. Mobile Payments
  8. Artificial Intelligence (AI) and Machine Learning (ML) Security
  9. Mobile Apps
  10. Blockchain Developments
  11. The Always Connected PC (ACPC)

1. 5G and Faster WiFi

5G internet has hovered in the public lexicon for a few years. Yet 2020 marks a turning point for the “fifth generation” of wireless technology, with U.S. cellular carriers promising infrastructure with lightning-quick download speeds, more device connections and command latencies in the milliseconds (basically imperceptible to the eye).

The implementation of 5G across the next few years will not be without its hiccups, though. The overwhelming majority of today’s devices cannot connect with 5G’s unique high-frequency radio towers, requiring significant IT hardware and software updates. Plus, only a handful of cities nationwide currently host such 5G towers, serving as beta sites for all major carriers to test their deployments.

In 2020 and beyond, more mainstream 5G will unquestionably trigger additional IT ecosystem developments all organizations must address, including:

  • Internet-of-things suited bandwidth: The proliferating amount of interconnected devices — from computers and smartphones to wearables, robots, smart vehicles and more — requires larger and larger bandwidth figures to keep devices communicating properly.
  • Updated firewalls: Businesses looking to embrace a 5G network will also need to rework current firewall throughput. Many current firewalls will be unable to support the data speeds and flows unleashed by 5G.
  • Stronger edge computing: 5G also improves the business realities of edge computing, namely with its emphasis on local cell towers and local data processing and trafficking to reduce latency.

2. Computer Vision

As its name suggests, computer vision enables machines and equipment to “see” using autonomous cameras. Computer vision cameras are a central piece of technology to many security and operational enterprise advancements, such as the following:

  • Business offices and buildings, for enhanced security and around-the-clock “smart building” entry and exit monitoring.
  • Manufacturing/production centers, where computer-vision cameras have increased in popularity to spot defective products or components before moving onto next-phase production.
  • Warehouses, for enhanced sorting, picking and packing functions, among others.
  • Autonomous cars, including freight trucking and last-mile delivery vehicles poised to change supply chain logistics.

The expanding adoption of computer vision cameras comes with an important question, though. Enterprises using these sight-enabled machines and equipment must reconcile the mounting IT ethics behind gathering 24/7 visual data, particularly regarding facial recognition. Organizations must set up transparent computer vision policies, including gathering employees’ and even consumers’ consent about the technology’s usage and highlighting its ethical business case.

3. Voice Applications

Over a third of Americans use voice assistants. Industry projections say that by 2022 over 50 percent of households will have and use a voice assistant, both within their smartphones and through household and car-integrated devices.

This tremendous user uptick will push businesses to prioritize voice applications in several ways:

  • Office usage uptick: In 2020 and beyond, employees will start to expect voice assistants at work just as much as they do at home. From adjusting office lighting to booting up technology, scheduling meetings, reading emails and searching the internet to enhanced office surveillance and controlling other connected network devices, worker tasks and activities will become more reliant on voice technology.
  • Increased “ask” apps: The rise of voice content means organizations will begin shaping digital content for voice search. Brands like Purina’s “Ask Purina” are ahead of the curve here, creating a voice-exclusive application where dog owners can ask breed-related questions, from ideal diets and exercise routines to in-the-moment health questions, all using a familiar voice assistant.
  • Fewer wake words: Currently, popular voice devices require a “wake” word to activate (e.g., “Alexa” in the question, “Alexa, what’s the weather today?”). Wake words let the assistant know you’re talking to it and not, say, yourself. Advancements in voice technology will allow you to speak to assistants more naturally, without the triggering wake word to conduct a search.
  • Enhanced voice assistant personalization: Further voice assistant developments in 2020 will allow devices to understand who’s speaking and therefore deliver responses based on individualized voice profiles. Separate voice profiles can, for example, allow assistants to read your correct schedule for the day and not your coworker’s, or save your correct payment or account information.

4. Safer API-Based Systems

APIs, or application programming interfaces, allow different pieces of software to communicate with each other in a safe, standardized way. APIs are central when building proprietary software, evolving into microservice architecture, as well as transferring your enterprise data to vital business or service partners.

Already, we’re seeing an explosion in API integrations across industries, particularly in banking and fintech. Other technologies also require APIs to function. Yet, for the average business, utilizing APIs safely has another important onus: As more employees and customers use more devices with more apps, they’ll simply expect those devices and apps to communicate with one another.

This expectation puts pressure on businesses to ensure their own software programs, products and services integrate seamlessly with others, and that those underlying data connections are safe. Such API security priorities we’ll see in 2020 include:

  • API gateway controls, improving traffic authentification, so you know who’s requesting your data, where and for what purpose.
  • Tighter API data delegation, helping prevent ominous third-parties from requesting your data, as well as exposing hacks and breach attempts.
  • Expansion of open authorization protocols, which allows users (i.e., your employees or your customers) to give permission for their data to be used by other apps and services without handing over their accounts’ passwords.

5. More Functional Internet-of-Things

The internet-of-things buzzword gets tossed around frequently in the business world. In 2020 and beyond, we’ll see its power come into fuller effect — often working without human oversight — to 24/7 connect the burgeoning amount of autonomous and smart devices businesses will use to execute core functions.

internet-of-things

Take, for example, delivery logistics. Within the next decade, we may see computer-vision-enabled warehouse bots connect with your ERP to receive a new customer order, then pick the corresponding order’s SKU from warehouse racks. That bot then moves the item to the packaging station, which is wrapped by an autonomous machine. Soon, the order is loaded onto an autonomous vehicle driving it to a local distribution center where drones pick it up and conduct last-mile logistics, dropping it at the customer’s door.

This end-to-end order management is enabled only by the internet-of-things, which harmonizes data and edge devices and lets your business use new equipment to its fullest.

6. “Flatter” Organizations

The past decade’s software advancements allow organizations to practice greater data visibility and oversight than ever. Tools like ERPs, CRMS and other resource planners assist departments, letting employees quickly and conveniently find the information they need to execute their work without bothering employees in other departments for data access.

As technology allows ever greater data and process transparency, we’ll see organizations subsequently turn “flatter.” Defined by reduced informational and managerial hierarchies, flat organizations trim bureaucratic red tape to improve the speed and proactivity of decision-making. Managers will no longer be relegated to constantly approving workloads, task routes and resolutions, since employees are empowered to make these decisions — and those decisions are easily identified and tracked in a horizontal, enterprise-accessible logs.

7. Mobile Payments

In the next decade, businesses must pivot to keep up with the times, embracing prominent payment trends like:

  • The accelerated use of mobile wallets (e.g., Apple Pay) over cash and card transactions.
  • Voice-recognition transactions, including voice command-led online purchases, as well as voice-based two-factor authentication.
  • Mobile fintech portals providing a “one-stop-shop” look into a user’s complete financial portfolio (bank accounts, investments, mobile payment history, etc.).
  • Mobile alerts for purchases, account notifications and order updates.

8. Artificial Intelligence (AI) and Machine Learning (ML) Security

Today, most AI and ML cybersecurity programs still reside in the “supervised learning” world. Tomorrow, though, AI and ML will continue its progression into the unsupervised learning space:

  • Supervised Learning requires a computer program or piece of software to come with programmed directions, or parameters, guiding how it works and what it can — or can’t — do. In short, supervised programs need to be told how to track and compare new data.
  • Unsupervised learning programs, though, do not need pre-programmed data examples or parameters. These applications can identify data patterns on their own, then alert relevant people when manual data reviews or actions need to be performed.

This transition to autonomous data supervision allows business cybersecurity teams to automate an unprecedented amount of network and device security activities. In particular, AI and ML security programs will be better able to:

  • Identify new or unauthorized network access and similar security risks.
  • Track endpoints and devices better, particularly with the growing number of devices enabled by the internet-of-things, which increases threat vectors.
  • Trigger alerts for security updates or maintenance needs.
  • Create smarter usage habits, authentications systems and data encryptions bolstering security defenses.

9. Mobile Apps

2020 will also bring major changes and consumer trends affecting mobile applications.

The current app ecosystem still predominantly relies on mobile-app devices, typically a computer or smartphone. However, mobile app developments in the next decade will be influenced by many of the IT advancements on this list — plus a few extra goodies, including:

  • Growth of the instant app: Many smartphone owners know the frustration of managing low storage space on their mobile devices or using apps that take up too much room even on unencumbered phones, tablets and wearables. Instant apps offer an alternative, letting users access a smaller version of an app without actually installing it on their devices. Instant apps have grown in popularity in the past few years, with many thought leaders predicting a new, widening rollout of app brands and developers producing instant versions of their most popular applications in 2020 and beyond.
  • Voice-enabled personalization: Many business apps will adapt to match the growing popularity of voice search. In some cases, organizations may even deploy voice-specific applications to answer user queries or provide specific services. Organizations may also begin implementing voice-controlled security and authentication for in-office devices and programs alongside these voice deliverables for consumers.
  • 5G connection capabilities: 5G’s quicker data delivery and almost non-existent latency means apps won’t have to work as hard to perform core functions. This preserves your mobile device’s battery life and extends the usability of your apps, plus also introduces a mobile platform finally functional for in-depth augmented reality (AR) and virtual reality (VR) apps that congested all previous networks.

10. Blockchain Developments

Blockchain had its biggest year yet in 2019. Major companies — from IBM to Walmart, FedEx to Facebook and more — committed to blockchain developments for various pilot — and often proprietary — programs, adding legitimacy to the decentralized ledger technology. Many hope to use blockchain beyond its transaction recording and management origins, though, expanding it for dual security and service-related offerings:

  • Internal blockchain business advantages: Internally, blockchain offers improved tracking for physical and non-physical enterprise assets. Blockchain ledgers can be used across the supply chain to identify production problems or proper recall points for goods, to bolster vendor compliance, trigger proof-of-delivery transactions or track system or network log-ins.
  • External blockchain business advantages: Outside your business’ walls, blockchain technology can help manage more secure vendor payments, contracts and business partnerships by triggering payment or settlement transactions after the ledger notes a complaint or sees goods have been delivered. Blockchain data ledgers are also more secure and transparent, given their decentralized setup and encrypted framework that cannot be altered.

IT trends in 2020 will likely embrace blockchain as a transaction-tracking and management system for goods and services across its clients, suppliers and vendors. Many will need to create ledgers addressing the tool’s top pain point, though: interoperability. Currently, blockchain-designed programs are unable to share its information with anything outside itself (a.k.a. other transaction-management systems or even other blockchain ledgers), preventing the tool from reaching its full potential.

11. The Always Connected PC (ACPC)

Always Connected PCs are the next generation of computers as we know them. Boasting the same processing technology as today’s top smartphones, but placed inside a laptop or computer’s hardware, the ACPC presents a range of capabilities no other device does, including:

  • 24/7/365 web access: As their name suggests, an ACPC should always have access to the web via both LTE and WiFi connections, even when you close up the computer. Most recently, a Lenovo-Qualcomm partnership announced its plan to produce 5G-connected ACPCs for 2020.
  • Qualcomm processor chips: A smartphone-mirroring microprocessor allowing integration with a Windows 10 operating system.
  • Extensive battery life: In some units, developers claim 20+ hours without the need to charge.
  • Ultra-lightweight: Allowing laptops to be portable and user-friendly without sacrificing functionality.

Early models of the Always Connected PC were not without their flaws, though. Many users experienced issues loading and running a handful of 64-bit apps on their laptops, including some popular Microsoft Office programs. Next-phase ACPC models produced in 2020 and beyond will prioritize these bit-version incompatibility snafus, with producers like Lenovo stating their commitment to providing a fully synchronized, true-to-its name breed of computer.

Stay on Top of Technology Trends With PCS

It’s exhausting keeping tabs on tech business trends for the next 10 years — and beyond. That’s where PCS comes in.

We work with clients to untangle IT. From IT project support to a dedicated, fully managed IT team taking care of the bulk of your IT operations, let us handle your business’ tech side — so you have one less thing to worry about.

See what IT work we can take off your shoulders, then request a personalized quote.