A staggering 95% of security incidents investigated by IBM in 2013 involved human error. Is staff complacency the greatest risk in the cyber arena?

Tim Stapleton Zurich

Just as it takes people skills to tackle cyber crime, human error and complacency are also to blame for many hacking attacks. A survey by IBM found that employees continue to fuel cyber and data breach-related incidents. The survey, which includes cyber security data on nearly 1000 of IBM security services, indicated that a staggering 95% of incidents in 2013 involved human error in one way or another.

University College London Research Institute for Science of Cyber Security director Angela Sasse says: “In most cases, negligence is the source of a breach. It’s not that there’s a malicious outsider colluding with a malicious insider, it’s that there’s a malicious outsider who’s figured out how to take advantage of employee error.”

Sasse and her assistant, Adam Beautement, are researching the human factor of how organisations protect themselves in the cyber arena. They say the most devastating attacks usually combine the knowledge of an insider with the brains and resources of a criminal. Critical to this security breakdown is the combination of firms’ cumbersome security systems and employees seeking time-saving workarounds that unknowingly allow cyber attacks.

Beautement says: “Policies that are difficult to follow end up being circumvented, and that opens up vulnerabilities. Employees understand the need for computer security updates but they might avoid doing them because they slow down the system.”

Sasse continues: “Or if staff can’t cope with the complexity of passwords or the frequency with which they change, they might write them down and stick them somewhere that can be lost or get in the wrong hands. An organisation we’ve worked with wanted its employees to use encrypted USB sticks, but ordering one took two to four weeks, which is just not realistic for most people.”

As a result, employees look for workarounds – keeping the same password, skipping computer updates and bringing their own devices to work – without being aware of the potential consequences.

From an insurance perspective, about 5% to 10% of cyber-related claims arise from either human error or insider fraud, according to Tim Stapleton, global underwriting manager at Zurich (pictured).

“You can never fully anticipate and quantify with 100% certainty, the losses arising from human error,” he says. “From an underwriting perspective, when looking at cyber risk, we look at people, processes and technology and the controls in those three areas. Human error and insider fraud are the most difficult areas to quantify.”

But preventing or at least lowering the chances of suffering from such an attack comes down to training, Stapleton adds. “A lot of organisations are now requiring staff to take on security and risk awareness training. We have seen examples where organisations are working with human resources to create these initiatives, and some companies are even requiring staff to participate in these courses on an annual basis.”

Crucially, these companies are creating a culture where employees feel compelled to practice good information security. Stapleton says: “In addition to training, security-conscious companies are enforcing ‘clean desk’ policies. For example, computers are automatically locked if left unused for a short period of time, and a security guard will do the rounds to pick up and lock up any items left behind after hours that may allow access to sensitive data, such as laptops and other mobile devices.

“It is not good enough to simply have a policy in writing, these protocols need to be enforced and employees need to see them being actively enforced. Companies that do this tend to be more successful at mitigating human error-related data breaches.”

Be it through IT negligence or employee error, the threat of hackers is growing. Preventing and mitigating this risk needs a business-level strategy and action plan. Risk managers: consider yourselves warned.