A recent survey conducted by Ipsos reported that more than half of all C-suite executives (C-Suites) (53%) and nearly 3 in 10 Small Business Owners (SBOs) (28%) who suffered a breach in 2019 identified human error or accidental loss by an external vendor/source as the cause of the data breach.
Last year, a study from CompTIA showed that 52% of the time, human error is the root cause of security breaches. It's not surprising either: employees lazily glance over security policies, share information with people they shouldn't, haphazardly click on phishing links and in the worst, but rare, cases, intentionally sabotage their company.
Supermarket giant Morrison's knows this only too well. It was a disgruntled former employee that leaked the payroll data of nearly 100,000 of his erstwhile co-workers. The supermarket chain is now being sued by thousands of its employees for failing to protect their data.
More often than that though, employees breach their own security out of the goodness of their own heart. Security policies can be cumbersome, seemingly arbitrary things. Employees that want to do a good job, and do it quickly, will often try to circumvent practices that slow down the workflow. This may involve sharing a document with somebody outside the organisation, or even worse, storing passwords and login credentials in plain text so they don't have to remember the array of different passwords needed to log in to office accounts.
It's not just the rank and file that are vulnerable. The recent threat landscape has shown that CEOs are just as vulnerable to human exploit as anyone else. A 'Whaling attack' is type of CEO fraud which targets executive members of an organisation using researched, personalised emails. Hackers will often trick a company's CFO into handing over fistfuls of cash to someone who seems like an employee, but is actually a cybercriminal.
For a human problem, there isn't necessarily a technical fix. Educating employees will always be the best way to ensure your organisation doesn't fall prey to a breach borne of human error. Employees have to know how to spot a phishing email, who they can and can't share files with and what information they can safely publish online.