Technology exists to enable people. Whether they use it for personal or professional reasons, people are the common link driving technology adoption.
On the other hand, while technology is often predictable, people are not. It’s easy to question why humans are the weakest link in cybersecurity, but the answer — like people — is more complex.
Why are people the weakest link in the people, process, technology chain?
Cybersecurity professionals focus on three primary categories that help them protect data: people, processes, and technology. Taking a look at each of these provides insight into why it’s easy to consider people the weakest link.
Technology, in itself, never makes mistakes. People program technology, then it does what they tell it to do. It can be verified and provide repeatable outputs, and even artificial intelligence (AI) is a series of algorithms programmed by people.
While technology may be flawed, as evidenced by security vulnerabilities in software, the fixes to those flaws have been made much easier due to objective solutions such as security patch updates.
Similar to technology, processes do not “act” on their own. They are a set of steps that people follow so that they can repeatedly achieve a consistent outcome.
When a process breaks, people can review it, find the problem, and create an immediate fix by updating it. Similar to technology again, fixing a broken process has a clear solution.
[Related Reading: How to Create a Cybersecurity Program]
Unlike technology and processes, people are complex. They think for themselves and make their own decisions. Sometimes, these are good decisions and other times they are bad ones.
People are error prone because no clear solution exists. People will make the same mistake multiple times because they are unpredictable. At the core, the inability to find a way to prevent people from making the same mistake more than once makes them the weakest link in the chain.
What are some cybersecurity risks caused by humans?
Human error risk can lead to several different types of cybersecurity concerns.
As companies adopt more cloud-based technologies, people need to create more passwords. Unfortunately, people may not always remember everything, and they dislike having to request a password reset because it decreases their productivity.
These two problems often lead to people using easy to remember passwords. Fundamentally, this means that they often default to:
- Using the same password in multiple locations
- Using passwords that include a loved one’s name or season
- Using a series of numbers like 12345
These tricks keep them from forgetting the password, but it also makes the passwords an easy target for cybercriminals.
For the same reason that people hate making new passwords, they also tend to avoid multi-factor authentication (MFA). Any additional step, whether clicking on an authentication application or waiting for a code, creates a barrier to adoption. People want quick access to their resources so that they can get their jobs done.
According to the 2021 Data Breach Investigations Report, misconfigurations accounted for the top error variety in the Miscellaneous Errors breach category. System administrators and developers can make mistakes that lead to data breaches. For example, forgetting to change a default password on a server increases the likelihood that cybercriminals will be able to gain access. Copying and pasting a configuration from one serverless function to a different one is another potential cybersecurity risk created by misconfigurations and human error risk.
What types of attacks target the human factor?
Threat actors know that human error leaves organizations at risk, and they regularly try to exploit it.
Social engineering attacks
When cybercriminals engage in social engineering attacks, they specifically focus on exploiting vulnerabilities in human nature. For example, most phishing campaigns are successful because they prey on emotions. They often invoke urgency so that people will not stop to think. In their haste, they take action against the company’s and their own best interests.
In a dictionary attack, cybercriminals try to break into a password protected device or resource by systematically trying various known weak passwords. Since lists of commonly used passwords can be easily found on the internet, these attacks are often successful.
Malware and ransomware attacks
Often, malware and ransomware attacks are successful because users fail to apply the security updates that patch common vulnerabilities and exposures (CVEs). Patches can be time-consuming, and people often wait to install them. Cybercriminals use this knowledge to look for vulnerabilities in devices, then they use them as part of their ransomware and malware attacks.
[Related Reading: How to Perform a Cybersecurity Risk Assessment]
Why are humans the weakest link despite security training and resources?
People are fallible, and they make mistakes. Training and resources may not always be adequate to give people the skills necessary. They provide awareness, but that is not the same as education.
Most cybersecurity awareness training programs fail to incorporate best educational practices. Adults learn best when the program:
- Applies to their real lives
- Offers hands-on capabilities
- Gives them a way to build on previously learned information
Most security awareness programs offer a series of videos and multiple choice tests that do not give adult learners what they need to truly learn.
Many companies fail to supplement cybersecurity awareness training with the tools that help people employ best practices. Companies may purchase a multi-factor authentication solution. However, that only solves part of the problem. Although providing password management technology is becoming more prevalent, too few organizations offer this to their employees. Meanwhile, they add more applications that require more passwords. This creates a vicious cycle driving poor password hygiene.
Remote work adds heightened challenges for companies. Remote work means that people are connecting from risky home networks. Employees will not be able to configure their network securely. Many may not even know how to change the router default password. Even virtual private networks (VPNs) are not entirely secure, evidenced by a surge in VPN attacks during the first quarter of 2021. Ultimately, people may not have the technical knowledge or experience to protect data.
Managed Detection and Response (MDR) to Overcome Human Error Risk
While human error risk may lead to data breaches, companies are still responsible for mitigating risk. MDR mitigates the likelihood of an attack by monitoring for new threats, vulnerabilities, and misconfigurations. When devices, systems, and networks are compromised, MDR provides rapid detection, notification, and response guidance.
As organizations work to reduce the impact that human error risk can have on their environments, MDR offers a way to enhance their security posture. With full coverage across cloud, network, system, application, and endpoint, Alert Logic’s MDR solution gives companies the ability to leverage threat analytics by collecting, analyzing, and enriching data for advanced threat detection and response.