Most cyberattacks stem from internal human error, but companies can protect themselves.
Small business owners have a lot on their plate, including finding ways to protect their data and IT systems from hackers and scammers. Surprisingly, the most effective way to deal with malicious outsiders might well be to pay closer attention to what's happening on the inside of your business.
A recent ComputerWeekly survey that polled security experts reported that 55 percent said their organization had suffered a cyberattack. Of those who said their company was victim to a cyberattack, 84 percent could trace back the attack, at least in part, to internal human errors.
Hence cybercriminals rarely succeed in executing fraud on their own and rely on deceitful tactics to dupe targets and push them to act irrationally. In other cases, the responsibility falls entirely on insiders' shoulders who inadvertently disclose confidential details in emails and other communications.
In both cases, human errors may go unnoticed for weeks or months while the probability that disastrous consequences will occur – e.g., broken consumer trust, expensive lawsuits, and bankruptcy – is slowly and silently increasing.
So what are the most common types of human errors taking place in small companies and how can business owners prevent them? Let's take a closer look.
1. Sending wrong attachments
What are the odds that sensitive attachments could fall into the wrong hands? Think about how many documents are repetitively sent, received, forwarded and stored by each department. Multiply this number by the average number of recipients in your contact list and annual work days.
Over, let's say, a week or a month, imagine that the file has been confusingly renamed, edited, duplicated or replaced by something else and transmitted mistakenly. If you're lucky, an incorrectly attached document doesn't contain anything to worry about; if you're not fortunate, it could be the beginning of a very bad data breach.
2. Adding the wrong recipients to an email
Autocomplete is a double-edged sword. The ability to select recipients after typing one or two characters saves time, but that functionality can also cause a user to include someone with a similar name and email address (e.g., email@example.com, firstname.lastname@example.org, and email@example.com) in an email with information they should not be privy to.
What happens next is hard to predict. Unintended recipients may let you know that they should not be included and ask to be removed from the email thread. Or they could decide to say nothing and gather information for their own profit.
3. Creating weak passwords
Have you ever felt like it would be easier to use the same password everywhere? Likewise, your employees might do this for convenience.
It represents a golden opportunity for cybercriminals who can take advantage of poor password-setting and resetting practices to break into IT systems, steal data and conduct fraud. And it works: 81 percent of hacking attacks performed are due to stolen and/or weak passwords according to Verizon's 2017 Data Breach Investigations Report.
4. Lost or stolen devices
Laptops, smartphones, and BYOD initiatives have empowered today's workforce to be increasingly mobile. That's great for small business owners who can then reduce office and administrative costs while providing employees with the flexibility to work offsite.
However, this creates potential risks for both data and hardware from a cybersecurity standpoint. A member of your staff may, for example, leave his or her devices unattended while quickly getting lunch or a coffee, offering a window of opportunity for cybercriminals to strike.
5. Falling into a phishing trap
Is it still even possible to spot fraudulent emails nowadays? Forty-eight percent of small businesses report being the victim of phishing or social engineering scams in 2017, and hackers always seem to be one step ahead. As a result, employees are prone to make a cybersecurity faux pas – downloading and opening a malicious attachment, clicking on a suspicious URL or not checking for spoofed email addresses and inadvertently revealing data.
How can small business prevent human errors?
Before addressing solutions, let's examine the circumstances in which human errors are most likely to happen. These include:
- Stressful situations, e.g., when a deadline is approaching or after prolonged periods of mental strain
- Multitasking; employees with multiple job responsibilities may get overwhelmed faster
- Lack of awareness about the dangers of cyberthreats and how to identify and stop them
- A poor security tech stack, with IT security systems failing to detect abnormal activity
Build a cybersecurity culture
All employees play a role in keeping small businesses safe, and they should be aware of it. Drafting security guidelines on acceptable and dangerous behaviors regarding, among other things, the use of passwords and what data can be stored on private devices is a good start.
You may also find it useful to create an informal newsletter that contains some high-profile cases of human errors so your staff learns more about common mistakes.
Manage devices proactively
It has become much easier and cheaper to keep track of how devices are used outside the office and enforce best practices in security. For instance, you can require employees to go through an additional authentication step if they want to access emails on their phone. Additionally, you may install a mobile device management software application that allows you to wipe hardware that was lost or stolen.
Install error-prevention applications
Everyone in your business might be fully aware of the dangers of human error, but staff members may still let their guard down when the pressure is high.
You can use technology to flag situations where potential errors are likely to occur, e.g., large recipient lists, attachments containing credit card or Social Security numbers, senders using spoofed email addresses and weak or inexistent passwords.
While many cyberattacks originate from the outside, there is often one or more human errors at play that result in a data breach or financial loss. Business owners can combine awareness, device management, and technology to safeguard customers, employees, and other stakeholders.