The human element
in cyber security:
When user error
is the problem

Verizon's 2020 Data Breach Report ranked mis-delivery and misconfiguration—inadvertent exposures of data caused by human error—as the third and fourth most common causes of breaches in 2020, respectively, up from sixth and eighth places in 2015.

Human factors of cyber security have been behind some of the biggest data breaches in recent memory. Last year's massive theft of 100 million records held by Capital One was caused by a misconfigured firewall. While last fall, thieves swiped more than 24 million user account records from Lumin that had been left in the open for months. FedEx was in hot water two years ago when it was revealed that nearly 119,000 documents, many of which contained highly sensitive customer information, were left unprotected on an Amazon S3 storage instance. And, according to Gartner, “through 2025, 99% of cloud security failures will be the customer’s fault.” ¹

The simplest approach is to educate end-users about the human element in cyber security. At work, employees need to be aware of the risks of clicking on links in emails from unknown senders or senders masquerading as known sources through techniques like address spoofing. And managers need to stress the importance of employee vigilance. Verizon found that email was the delivery mechanism in 94% of malware attacks in 2019. Nearly all incidents of the devastating new form of malware called ransomware are triggered by phishing links.

IT organizations can go beyond education, though. By periodically conducting simulated phishing attacks, they can pinpoint the most vulnerable users and single them out for education. Consider setting up a dedicated internal email account, and invite users to forward suspicious emails to be checked before taking action upon them.

Education is also needed to avoid misconfiguration risks. Organizations have eagerly embraced cloud platforms to give users more control over their computing needs, but many have not provided sufficient training about the shared responsibility model that is common to most cloud platform providers. That rule states that the cloud takes care of securing infrastructure, but users are responsible for securing access, applications, storage and the operating software stack. Enterprise Management Associates (EMA) reported last year that 53% of IT and security professionals believed cloud infrastructure providers are accountable for most or all public cloud security. It's safe to assume that awareness is even lower in the user community.

IT organizations can also work more closely with their cloud providers to improve visibility into what users are doing with their accounts. The EMA study also found 73% of enterprise security teams said lack of visibility within cloud infrastructure limits their effectiveness. While cloud providers are working hard to address the problem, customers can apply their pressure to ensure that the controls needed to lock down information are clear and easy to use. IT organizations can also take the simple step of implementing multi-factor authentication on cloud accounts so that precious data isn't protected by an easily guessed password.