Human risk in cyber security is a growing concern, with numerous studies indicating that human errors, whether intentional or accidental, are a leading cause of security breaches. According to research from Stanford University and Tessian, 88% of data breaches are caused by employee mistakes. The involvement of humans in the cyber security chain is a significant risk factor, as organisations often have anecdotal evidence of the impact of human errors on security incidents. To effectively mitigate these threats, organisations must tackle human resource management risks by addressing vulnerabilities not only among employees but also non-employees.
This guide explores the various types of human risk within an organisation and offers strategies to reduce these risks, with a focus on building a secure and resilient workforce.
To Err is Human: Defining Human Risk
Defining what ‘human error’ means is important in working out how to minimise the risk of a human-related security error.
Human error can be broadly categorised into two areas:
Oversights
Mistakes and errors happen, and when they do, the threat to an organisation increases. A typical example of oversight is an employee accidentally sending an email with sensitive information to the wrong person, aka, mis-delivery of an email.
Another example of an oversight is the misconfiguration of a cloud component such as a database. Yet another, is thinking it is OK to share a password with a colleague. Oversights cover the general area of the mishandling of sensitive data by employees that can lead to non-compliance, fines and loss of customer trust.
Deception
Social engineering scams increase human risk in an organisation. Social engineering scams, such as phishing emails containing malicious attachments or links, can increase human risk in an organisation.
Another example of an employee being tricked by a malicious actor is Business Email Compromise (BEC), a scam whereby a cybercriminal tricks employees into paying fraudulent invoices. Whether an employee is deceived or unintentionally causes a mistake, the result can be catastrophic. The FBI’s internet crime unit, IC3, report on BEC crime, for example, found that losses due to BEC in 2020 amounted to $1.8 billion.
For a more detailed discussion of the role of employees in organisational cyber security, refer to the article Building a Human Firewall which highlights the importance of employee training and awareness in creating a strong first line of defence.
Five Strategies to Mitigate Human Risk
To reduce human resource management risks, organisations can implement five key strategies to improve security hygiene and lower the risk associated with human error:
1) Break the Cycle of the Click
Employee habits, influenced by user-friendly UI/UX design, can lead to careless actions, such as clicking on malicious links without thinking. To counteract this, controlled phishing tests can help modify click behaviour, encouraging employees to be more cautious in their actions.
2) Build a culture of security
Cyber risk is everyone’s business. When building a cyber security culture, you should focus sharply on areas that increase risk in a business or a process, while being aware that there may be different or varying levels of risk depending on the department or even the employee. Cyber security culture-building exercises need to reflect the granular needs of a business, and by creating a culture of cyber security awareness, you can help to de-risk through knowledge.
3) Support better decisions
Many human errors that lead to increased cyber risk are simply poor judgement. Human error covers a wide array of issues that lead to data exposure and other security incidents. Sometimes, it is simply a case of not having the information at hand to make a good decision. And sometimes, it is about putting structures in place, so that the wrong decision cannot be made. Security hygiene is a case in point.
Research from Yubico found that 69% of employees share passwords to make account access easier. To de-risk the human factor at work, teach staff about the importance of not sharing passwords, and back this up by enforcing the use of second factor authentication (2FA) to any apps that support 2FA.
4) Cyber hygiene to de-risk human error
Teaching employees about cyber hygiene adds weight to the security hygiene issues mentioned above. Cyber hygiene covers a range of areas and includes a clean desk policy that is enforceable. Best practice cyber hygiene will minimise online security risks and keep IT systems healthy. It will also help in compliance with security standards such as ISO 27001.
The practice of cyber hygiene extends from employees into a general attention to IT system healthcare; this includes using appropriate tools to monitor potential threats, ensuring that digital certificates are updated, that patches are swiftly deployed, and so on. Good practice cyber hygiene involves ensuring that any human error in the configuration of systems or in business processes, is caught before being exploited.
For more on how to enforce cyber hygiene and minimise human risk, see the article Human Risk Management in Cyber Security: Safeguarding Your Organisation with Effective Hygiene Practices.
5) Make people part of your layered approach to security
Employees are often the source of an increase in cyber risk, but they are also where an organisation can de-risk the human factor. By ensuring that employees and non-employees are part of a layered approach to cyber security, your company can ensure holistic de-risking of ‘people, processes, and technology’.
By engaging all staff in training, from the CEO to the most recently appointed, you cover all of the gaps where data can leak, or where security mishaps can occur.
Reducing Risk in Human Resource Management
Human errors and social engineering remain some of the largest threats to an organisation’s cyber security. However, by taking proactive steps—such as fostering a strong security culture, promoting cyber hygiene, and integrating employees into a robust security framework—organisations can significantly reduce their human resource management risks. A well-informed and engaged workforce is essential for transforming human vulnerability into a strategic asset, strengthening the organisation’s overall resilience to cyber threats.
