Human Error Accounts for Over 95 Percent of Security Incidents, Reports IBM
According to the IBM Security Services 2014 Cyber Security Intelligence Index report (PDF), over 95 percent of all incidents investigated recognize human error as a contributing factor. While organizations try to employ a litany of different security controls in an attempt to limit their risk of becoming the victim of a security incident or breach, human error is one factor that can’t always be controlled or relied upon.
Considering that each lost data record cost companies, on average, $145 per record in 2013, decreasing the human factor is ideal for any company that wants to stay in business these days. For the United States, each record cost an average of $195 per breached, lost or stolen record, 35.5 percent more than the global average.
The report found that the United States is typically one of the largest targets in the underground market for stolen credit card theft and retail breaches, due in part to its status as one of the last remaining countries using magnetic strip credit cards.
The report also did some hypothetical mathematical calculations based on potential per-industry costs, finding, for example, millions of breached credit card numbers could cost a major retailer more than $100 million in direct costs. Read more about retail data breaches in Target Breach: Vendor Password Exploit and POS Malware: A PCI Nightmare.
Similarly, on a slightly smaller scale but still just as devastating could be a university with 40k breached records could end up losing $5.4 million. For Arizona-based Maricopa County Community College, they ponied up nearly $20 million, about triple the originally estimated costs after they suffered a data breach that exposed the records of nearly 2.5 million current and former students, employees and vendors. Find out more about that incident in College Data Breach Triples in Cost to Nearly $20 Million; Tuition Raised.
When it came to the top industries most frequently targeted in 2014, the finance and insurance industry ranked highest at 24 percent, followed by manufacturing (22 percent), information and communication (19 percent), retail & wholesale (6 percent) and finally health & social services (6 percent).
Another finding discovered that malicious code was the primary mode of attack in cyber crime, at 38 percent, while sustained code and scanning was 20 percent, and unauthorized access ranked third at 19 percent.
Malicious code continues to serve as the primary mode of attack in cyber crime, with the ability to include third-party software, Trojan software, spear phishing, keyloggers and droppers.
Some of the most common human errors include:
- System misconfiguration
- Poor patch management
- Lost laptops or mobile devices
- Disclosure of regulated (sensitive) information via incorrect email address
- Opening infected attachments or clicking on unsafe URLS
Another common human error includes the use of default usernames/passwords, or easy-to-guess passwords. While standard to have sufficient password policies in place, the strength of your business security profile is only as strong as the passwords that your users choose - or as strong as the authentication controls you choose to put in place.
One way to eliminate risks introduced by human error as it relates to the use of default or weak passwords is by layering up with a second factor of authentication that uses a different channel than the first. With primary authentication relying on something that you know (a password), the secondary factor that uses something you have (a mobile app and smartphone) protects users from unauthorized remote access.
Find out more about password security and how two-factor authentication help in:
Default Passwords: Breaching ATMs, Highway Signs & POS Devices
Passwords Aren't Enough: 76% of Breaches Exploit Stolen Credentials