Technology exists to enable people. Whether they use it for personal or professional reasons, people are the common link driving technology adoption. On the other hand, while technology is often predictable, people are not. It’s easy to question why humans are the weakest link in cybersecurity, but the answer — like people — is more complex.
Why Are People the Weakest Link in Cybersecurity?
Cybersecurity professionals focus on three primary categories that help them protect data: people, processes, and technology. Taking a look at each of these provides insight into why it’s easy to consider people the weakest link.
Technology, in itself, never makes mistakes. People program technology, then technology does what people tell it to do. It can be verified and provide repeatable outputs, and even artificial intelligence (AI) is a series of algorithms programmed by people.
While technology may be flawed, as evidenced by security vulnerabilities in software, it is logical and obedient. We can change how we instruct it to function differently and fix those flaws with objective solutions, such as security patch updates.
Similar to technology, processes do not “act” on their own. They are a set of steps that people follow so they can repeatedly achieve a consistent outcome.
When a process breaks, people can review it, find the problem, and create an immediate fix by updating it. Similar to technology again, fixing a broken process has a clear solution.
[Related Reading: How to Create a Cybersecurity Program]
Unlike technology and processes, people are complex. They think for themselves and make their own decisions. Sometimes, these are good decisions and other times they are bad ones, sometimes they are rational, other times they are irrational.
People are error prone because no clear solution is apparent. People are predictable because we know they will make a mistake; however, they can be unpredictable in that we don’t know what the mistake will be. In many instances, people repeat the same mistakes, despite awareness training. At the core, the struggle to always find a way to prevent people from making the same mistake more than once, and the difficulty in anticipating the next, new mistake, makes people the weakest link in the chain.
What are Cybersecurity Risks Caused by Humans?
Human error risk can lead to several different types of cybersecurity concerns.
As organizations adopt more cloud-based technologies, people create more passwords. Unfortunately, people may not always remember everything, and they dislike requesting a password reset because it decreases their productivity.
These two problems often lead people to use easy-to-remember passwords. Fundamentally, this means they may default to using:
- The same password in multiple locations
- Passwords that include a loved one’s name or season
- A series of numbers such as 12345
These tricks keep them from forgetting the password but makes the passwords an easy target for cybercriminals. Simple passwords can be easily guessed using brute force techniques. Even complex passwords may be stolen from one website and sold on the dark web where they’ll be used against a separate website. If you banking password is the same as your ecommerce password, you are essentially trusting the ecommerce website with a method to access your money.
Find out if your password is one of the top 100,000 compromised passwords. If it is, change it.
For the same reason that people hate making new passwords, they also tend to avoid multi-factor authentication (MFA). Any additional step, whether clicking on an authentication application or waiting for a code, creates a barrier to adoption. People want quick access to their resources.
Sending something to the wrong recipient is the top miscellaneous error in the 2023 Verizon Data Breach Investigations Report (DBIR). It’s simple, it’s embarrassing, and it happens. It’s likely that everyone reading this blog reader has made this mistake at some point. While the consequences will vary depending on the content of what was misdelivered, the embarrassment felt is another human challenge which leads to delays in reporting said mistake.
System administrators and developers are people too, who can make mistakes that lead to data breaches.
While the relative prominence of this mistake has decreased in more recent versions of the DBIR, the impacts can be significant.
For example, forgetting to change a default password on a server increases the likelihood that threat actors can gain access. Misconfigurations are particularly common in Cloud environments. Examples include exposing a secret key publicly, neglecting access control, not enabling security logging, exposing cloud data stores and copying and pasting a configuration from one serverless function to a different one for ease.
What Types of Attacks Target the Human Factor?
Threat actors know that human error leaves organizations at risk, and they regularly try to exploit it.
Social engineering attacks
When cybercriminals engage in social engineering attacks, they specifically focus on exploiting vulnerabilities in human nature. Most phishing campaigns are successful because they prey on emotions. They invoke urgency so people will not stop to think. In their haste, they take action against the company’s and their own best interests.
In a credential attack, cybercriminals try to break into a password protected device or resource by systematically trying various known weak passwords or use a list of real passwords stolen in a breach. Since password lists can be easily found on the internet, these attacks are often successful.
Malware and ransomware attacks
Often, malware and ransomware attacks are successful because users fail to apply the security updates that patch common vulnerabilities and exposures (CVEs) in time. Patches can be time consuming, and people often wait to install them. Cybercriminals use this knowledge to look for entry stage vulnerabilities in devices, allowing them to then move onto ransomware and malware attacks.
[Related Reading: How to Perform a Cybersecurity Risk Assessment]
Why Invest in Security Training and Resources?
People are fallible and make mistakes. Training and resources may not always be adequate to give people the skills necessary. They provide awareness, but that is not the same as education.
Most cybersecurity awareness training programs fail to incorporate best educational practices. Adults learn best when the program:
- Applies to their real lives
- Offers hands-on capabilities
- Gives them a way to build on previously learned information
Most security awareness programs offer a series of videos and multiple-choice tests that do not give adult learners what they need to truly learn.
Many organizations fail to supplement cybersecurity awareness training with the tools that help people employ best practices. Companies may purchase a multifactor authentication solution. However, that only solves part of the problem. Although providing password management technology has become more prevalent, too few organizations offer this to their employees. Meanwhile, they add more applications that require more passwords. This creates a vicious cycle driving poor password hygiene.
Remote work adds heightened challenges for organizations. With remote work, people may connect from risky home networks. Quite frankly, most employees will not be able to configure their home network securely. Many may not even know how to change the router default password. Even virtual private networks (VPNs) are not always secure. Ultimately, people may not have the necessary technical knowledge or experience to protect data.
Managed Detection and Response to Overcome Human Error Risk
While human error risk may lead to data breaches, companies are still responsible for mitigating risk. With managed detection and response (MDR), the likelihood of an attack by monitoring for new threats, vulnerabilities, and misconfigurations decreases. When devices, systems, and networks are compromised, MDR provides rapid detection, notification, and response guidance.
As organizations work to reduce the impact human error risk has on their environments, MDR offers a way to enhance their security posture. With full coverage across cloud, network, system, application, and endpoint, Fortra’s Alert Logic’s MDR solution gives companies the ability to leverage threat analytics by collecting, analyzing, and enriching data for advanced threat detection and response.