Human-Centered Vulnerabilities in Cybersecurity

Technology has traditionally been the focus in cybersecurity, but now experts are saying we need to make a shift in our focus to human-centered cybersecurity.

Of course, with any system, there are flaws. In the case of human-centered cybersecurity, it’s important to know what vulnerabilities you could be facing in your security.

What Are Human-Centered Vulnerabilities?

First, what exactly is human-centered security? When a human is at the center of cybersecurity, this is human-centered security. Your data is most valuable when it’s being used by a person or being displayed. This is also the point at which your data is the most vulnerable.

The point of contact between data and humans is when your data is most valued, available and at risk, so you’ll want to ensure it’s also at its most protected.

Risks of Human Mistakes in Your Information Technology

Humans make mistakes, and when it comes to your sensitive corporate information, these mistakes can have dire consequences. Data breaches can be caused by employees when they:

  • Unintentionally email documents that include sensitive data.
  • Send sensitive data via email to the wrong recipients.
  • Cause unwanted access by misconfiguring assets.
  • Mistakenly publish confidential data on a public website.

While the cost of a human error may not be as expensive as a breach caused by a hacker, the consequences can still be significant. Fortunately, your company can implement new or updated policies and changes to prevent human errors in your information technology.

Top Five Types of Human Error in Cybersecurity

Employees can make mistakes that lead to breaches in data. Human factors in information security should not be taken lightly, as errors in cybersecurity cost millions of dollars to remediate. Human errors in cybersecurity fall into two categories:

  • Skill-based human errors: These are errors that occur while a person is performing a familiar activity or task. They know the correct course of action, but they fail to perform the action correctly because of negligence or a temporary lapse. Often these errors occur when an employee is distracted, tired, not paying attention or experiencing a lapse in memory.
  • Decision-based human errors: These are errors that are caused by a user making a flawed decision. Maybe the user doesn’t have enough information about the circumstances or maybe they make a decision by default through inaction.

The following are the top five types of human error in cybersecurity:

1. Misdelivery

The term “misdelivery” refers to the act of sending something to the wrong person. Carelessness and email features like auto-suggest can lead to employees accidentally sending sensitive information to the wrong person.

Another common mistake that causes misdelivery is putting an email address in the “to” field” instead of the “bcc” field. This skill-based error can cause an employee to accidentally expose the private details of multiple people to one another.

Why is this a skill-based error? Because while the employee knew the correct procedure, they made the error out of carelessness. By not double-checking and comparing what they intended to do with what they actually did before sending out the email, they caused a data breach.

Encourage employees to take their time with emails and double-check email addresses and fields before hitting send.

2. Easy Passwords

Another type of human error in cybersecurity is using easy passwords. Your employees need to use strong passwords to protect data — this means establishing clear procedures for storing, sharing and handling passwords.

Hackers can access accounts if they’re able to guess easy passwords or if they’re able to use a brute-force attack. Examples include:

  • Passwords using simple sequences: Passwords that are patterns found on your keyboard, such as “123456” or “9ijn8uhb,” can be easily guessed.
  • Passwords using corporate or personal data: Passwords that contain this type of data can be susceptible to attacks, as they can be guessed by browing the social network accounts of employees.
  • Passwords using default credentials: These may be already known to attackers or easily cracked through a brute-force attack.

Employees may also store their passwords unreliably. Examples of unreliable password storage include:

  • Failing to encrypt passwords: If you’re utilizing a password manager, make sure it uses a strong encryption. Weak or no encryption at all can put passwords at risk.
  • Exposing passwords: Leaving a sticky note with your password on your desk could leave your password exposed to the public.
  • Leaving Passwords open: Storing passwords in Google Sheets or plain text can leave them vulnerable.

When passwords are handled incorrectly, this can also lead to vulnerabilities and create problems. Examples of incorrectly handling passwords include:

  • Changing Your Password too Frequently:Traditionally it was thought passwords should be changed every 60-90 days. Today you should be using stronger passwords (four random words) and not changing them unless you are made aware of a compromise. There are some banking sites, and some types of insurance that require passwords be changed at least every 180 days, which is acceptable as well
  • Managing passwords incorrectly across multiple platforms: If you use the same password for more than one account or vary just one character in each for several accounts, this could make your passwords and accounts susceptible to an attack.
  • Sharing passwords in an insecure way: Employees may send their credentials to their colleagues through unencrypted messengers, making their passwords vulnerable.

Ensuring your company has a dependable password policy can help your employees avoid accidentally sharing their passwords or improperly storing or handling them.

3. The Use of Outdated Software

Hackers love outdated software, as it’s vulnerable and can be exploited easily. When it comes to outdated software, employees can make a hacker’s job easier by:

  • Disabling software security features: Employees may disable security features of software so they can utilize their work devices for personal use or simplify their work. Employees may download a file from a distrustful website or pause browser security or antivirus features, so they can watch something on a suspicious website. Disabling these features can leave an employee open to a data breach.
  • Ignoring updates for software: Ignoring updates can also lead to data breaches. For example, the security of unpatched software can be breached, and older versions of Windows can be susceptible to ransomware outbreaks.
  • Downloading software that’s unauthorized: Even the software you use to protect your security could pose a risk to the cybersecurity of your company. When the software itself is malicious, it can immediately compromise your corporate data. Even if the software doesn’t have viruses, it could have vulnerabilities that are known by attackers.

Employees may offer excuses for not updating their software, so try using the following tactics to get them on board:

  • Encourage updates: Make it part of your everyday culture to encourage updates. Let your employees know that making the time to take care of the updates is acceptable and encouraged.
  • Include software updates in work schedules: Employees may feel overwhelmed by work tasks and worry about breaking their concentration to perform a software update. Let employees know that updated software is crucial to their work performance and that they can include software updates in their schedule or list of work tasks.
  • Suggest employees perform other duties while they wait: Updates can take some time, so encourage employees to take their breaks when the software is updating or tackle other work tasks that don’t require computer use.
  • Make time to review the new software: Learning new software may seem overwhelming to some employees, so you may want to schedule a presentation time to go over the new software or allow employees time in their schedules to learn the software on their own.
  • Educate employees about the risks of outdated software: Your employees simply might not be aware of all the risks that come with using outdated or unauthorized software or turning off security features, so discuss these dangers with them.
  • Inform employees about the benefits of the new software: Sometimes, workers may prefer using outdated software because they’ve grown used to it. If you let them know about the benefits of this new software, they’ll be excited about the change.

By providing your employees with education on cybersecurity, you can help combat this negligence in your workplace.

4. Unrestricted Access to Information

Those you entrust with unrestricted access to all information can make mistakes too. These mistakes can be quite costly to your organization. Accounts that have high privileges, such as an admin account, often don’t have adequate security controls to prevent misuse.

Admin passwords are infrequently updated — if updated at all — which can leave these accounts more susceptible to attackers. The attacker can then use the credentials from the compromised admin account to access IT systems or the controls of various resources, compromising your sensitive data.

By giving all accounts the least amount of privilege possible, you can help prevent human errors that occur with unrestricted access to information. You can give high privilege to accounts as needed or for a temporary period of time. You can also implement two-factor authentication to provide an added layer of protection. IT employees should also have both administrative accounts and employee accounts.

5. Lack of Cybersecurity Education

Another common human-centered security issue is a lack of education. Employees may want to concentrate their efforts on what they perceive to be their only work responsibilities, but employees who don’t have the education they need about cybersecurity can make your company more vulnerable.

An insider can make an attacker’s job much easier, allowing them to access critical data, steal credentials and introduce malware into an organization’s system. Your employees can end up the victims of malicious applications or phishing attacks, inadvertently giving hackers access to your company’s valuable data.

What mistakes are caused by a lack of cybersecurity education?

  • An employee uses personal devices for work: Do your employees tend to use their personal devices for work-related tasks? What if an employee forgets their personal laptop or smartphone in a public area? If their device gets stolen, the corporate data on that device can be compromised.
  • An employee click on suspicious attachments and email links: Malicious emails are becoming more believable as cybercriminals are becoming more creative and intuitive. These emails end up in a user’s email inbox instead of their spam folder, and these emails can threaten your cybersecurity, as clicking on the links can download a malicious script or lead a user to a fake website.
  • An employee plugs in insecure devices: USB drives and other devices may contain malicious codes that appear after being exposed to an outside network. When employees plug in these devices to your system, they can compromise your organization’s cybersecurity.
  • An employee performs system changes that are unauthorized: An employee may make unauthorized changes to your system to speed up processes or improve the convenience of their work tasks. Not only can these modifications disrupt normal company procedures, but they can also bring down the system.
  • An employee uses a public Wi-Fi network that doesn’t have a VPN: Public Wi-Fi in places like restaurants and hotels can be utilized by hackers. Through the use of public Wi-Fi, hackers can install malware, initiate man-in-the-middle attacks and more. Using public Wi-Fi without a VPN means you won’t be encrypting your connection, leaving you vulnerable.

Cybercriminals know how to appeal to consumers — they present themselves as a tax refund or email service, so they can get access to a user’s email account. They also hide the illegal content with cloud-based storage services and imitate trustworthy domains to evade spam filters.

How to Reduce Human-Centered Vulnerabilities in Your Workplace

To keep your data secure, the best strategy is to avoid employee errors. But with so many possibilities for human errors in the workplace, how do you reduce human-centered vulnerabilities in your organization when using human-centric cybersecurity?

1. Update Your Security Policy

How does your company handle passwords and critical data? Who can access sensitive data and passwords? Which software will your company use for monitoring and security? Your security policy should outline all of your security rules and practices. Revise your policy to ensure the document includes the current best practices.

2. Monitor Employee Activity

You can protect your system against malicious attacks and data leaks by implementing tools that monitor user activity. Through monitoring tools, you can detect and prevent security mistakes caused by employees.

3. Give Accounts the Least Amount of Privilege

Denying all access is one of the easiest ways to secure your corporate data. Allow privilege only on a case-by-case basis for a temporary period of time. Employees should only have access to data that is necessary for them to perform their work tasks, so don’t allow employees to access sensitive data unless absolutely necessary.

4. Instruct Employees on Cybersecurity

Combat skills-based and decision-based human errors through education. By educating your employees on the dangers and costs of their mistakes and the potential threats they should be aware of, your employees can exercise more caution in their work.

Ensure all of your employees are motivated to adhere to the security policy and familiar with the policy. You can accomplish this by giving your employees the knowledge they need about the grave results their errors can cause your organization and emphasizing how these results can affect them.

Reduce Human-Centered Vulnerabilities in Your Workplace With PCS

At PCS, we know that not every company wants to deal with handling IT. That’s why we offer our services to hire, find and direct IT services. We’ll take over the IT challenges your organization is facing, so you can return your focus to running your business.

When we work with our clients, we seamlessly become part of the team. With more than 100 IT professionals, we can provide our clients with the service and support they need. Our solutions are 100 percent customizable to your needs.

Are you ready to get started improving your human-centered security? Contact us at PCS today.