- According to “The Global Risks Report 2022” 95% of cybersecurity issues originate from human errors.
- Check Point Software highlights essential measures that companies must implement to ensure their protection.
In today’s digital age, cybersecurity has become a priority for businesses, as cyber attacks can damage their economy and reputation. According to Check Point, 71% of businesses were victims of ransomware attacks in 2023, with an average payout of $4.35 million. Employees are the first link in the cybersecurity chain and the most vulnerable entry point.
Statistics paint a starling picture of the impact of human error in cybersecurity. According to the World Economic Forum ‘Global Risks Report 2022’, 95% of cybersecurity breaches are caused by human error. Real – life examples are numerous; one notable incident was the 2017 Equifax breach, where a single employee’s failure to implement a security patch led to the exposure of the personal data of over 143 million people. Or the 2013 Target breach in the US, where hackers gained access through a phishing email sent to a third-party vendor, eventually compromising the data of 41 million customers. That is why their response and monitoring of cyber attacks is essential as it determines the severity of the consequences that the company may suffer.
Common human errors include the use of weak passwords, susceptibility to phishing scams, and mismanagement of sensitive information, often leading to devastating consequences. Of course we should question why we humans seem more vulnerable to such inroads to launch such cyber attacks? Psychological and behavioral factors play a significant role in these vulnerabilities. Cognitive biases, such as overconfidence or the belief that one is less at risk than others (the optimism bias), can lead to lax security practices. Additionally, a lack of awareness about potential threats contributes significantly to the risk. During a recent CISO roundtable at the CPX Vegas conference, Dan Creed, CISO for Allegiant Air highlighted, “Encourage employees and teach them about the consequences of not following security policies… noting SolarWinds as an example.” Social engineering exploits these weaknesses by manipulating individuals into divulging confidential information or performing actions that compromise security, heavily leveraged in phishing scams and new deepfake and voice scams.
To have a solid protection, companies must not only implement Zero Trust architectures and threat detection software, but it is also essential to consider the cybersecurity training that their employees receive so that they are the first barrier against any type of cyber attack by means of accessing the corporate network.
Moreover, the importance of an employee’s role is even more accentuated when it comes to ransomware attacks, as these human errors are joined by extortion to obtain large sums of money. These cyber attacks are becoming more frequent and in 2023 there were more than 5000 victims of public extortion, an increase of 90% over the previous year, according to Check Point’s 2024 Security Report.
Check Point Software proposes the following cybersecurity measures, essential for building a solid protection in companies:
- Prioritizing cybersecurity: taking cybersecurity measures in companies should be an imperative. Promoting awareness of cyber threats and its risks, and providing specific training to ensure employees have a basic cybersecurity knowledge is essential. Cyber attacks occur most often due to human errors that could be prevented with minimal training, such as falling for phishing emails, using weak passwords, or accidentally leaking information. Fostering a culture of security within organisations, where cybersecurity is seen as everyone’s responsibility is also key.
- Zero Trust strategy: Zero Trust or trust less models are highly effective in preventing unauthorized access. Implementing a Zero Trust policy begins with the “discovery” of unprotected devices and continues with the automatic application of a least privilege policy, allowing only relevant systems and personnel access to this data.
- Incident response plan: vulnerability to a cyber threat is inevitable, so it is essential to build a consistent response plan for any potential crisis that may occur. This ensures that employees know how to react to possible incidents, enabling quick action and minimizing damage.
- Establishing unique and secure passwords: passwords should be complex and unique for each employee. It is crucial for this initial security layer to be effective in preventing unauthorized access and protecting the company’s confidential information. A minimum length of between 14 to 16 characters is recommended, incorporating different letters, a mix of uppercase and lowercase, symbols and numbers, using multi-factor authentication (MFA), as well as regular password changes and enforcing an account lockout policy after several failed attempts.
- Technological Aids to compensate for human weakness : Tools like two-factor authentication provide an additional security layer, while automated security protocols can reduce the reliance on manual updates and checks. The use of AI and machine learning is burgeoning, helping to predict and prevent human-related breaches by identifying unusual patterns or behaviors that might indicate a security risk, imperative as AI tools are required to capture such AI potential risks or breaches.
Looking forward, cybersecurity protection is likely to shift towards human-centric solutions by adopting a balanced approach in integrating advanced technology with an understanding of human psychology and behaviour. Basic training programs for employees will need to be more sophisticated, possibly even leveraging simulations while AI could evolve to become more adept at predicting human errors before they lead to breaches. This is why we insist that companies combine technological solutions with cybersecurity training for their teams, along with preventive measures and a consistent response plan.