Why human error is still your top cybersecurity risk
Mitigo deal with countless cyber incidents every year. Most of them have one thing in common – human error.
An example of human error is staff falling for a phishing campaign, and giving away secure login credentials that allow the criminals to gain access to your business.
System administrators can also be the root cause – we see examples of bad configuration and disabled security controls, which leave the business wide open to attack.
Increased risk from remote working
Remote working can increase risk.
Staff tend to behave differently in a more relaxed, home-based environment and may let their guard down.
Cyber criminals know this, and attack using mass phishing emails, trick text messages and impersonation phone calls.
They gather information and exploit vulnerabilities. Defending against this requires a far more sophisticated approach than technology alone.
You need a layered approach to control the ‘human factor’. There are four things you must consider in mitigating the risk of human error.
1. Policies – what’s allowed?
Your starting point is to agree what is and what is not allowed.
Are your staff aware of your policies and processes?
That is not to say that everything should be banned, far from it. However, understanding the risks attached to your policies allows you to put in place proper mitigations.
For instance do you allow staff to:
- use company computers to login to personal accounts such as Google
- use personal mobile phones to access work emails
If uncontrolled, these two things can cause significant issues.
Does this sound like your firm? If so, we recommend you do something about it.
2. Preventative controls
Only when you understand what your policies are, can you begin to consider how you configure the technology that you already have in place.
Your software and systems will have controls that can dramatically reduce the risk if you get an expert to properly configure them.
From web browser settings, through to antivirus configuration and laptop configuration, getting these working together coherently will reduce your reliance on staff.
3. People competence
It is not enough just to tell people to be careful and to look out for ‘dodgy’ emails.
Training, testing, simulation, and communication are the tools needed to improve staff competence against these threats.
Typically, we find 20% to 25% of staff will fall for a simulated attack but you can address this by implementing a proper cyber awareness programme.
Effective training and improved communications will start to change culture.
This final layer is mainly about taking some proportionate measures to make sure you stay in control and help you sleep at night.
How often do you check that staff are complying with your policies?
Do you have any kind of independent assurance that the configuration and controls that you have set up:
- provide protection
- continue to work
- are not becoming ineffective over time
At its core, this is all about risk management.
You need to make yourself aware of the cyber threats facing your business and the likely consequences of successful cyber attacks. These four layers should be used to mitigate and control the risks to reduce them to an acceptable level.
We have partnered with Mitigo to offer technical and cybersecurity services with exclusive discounts for our members. For more information contact Mitigo on 020 8191 9205 or email firstname.lastname@example.org.