Mitigating human error security risks

An image of , News, Mitigating human error security risks

Human error is a mounting concern in cyber security. Indeed, Verizon’s annual Data Breach Investigation for 2022 found that human error was the main cause of cyber security breaches, accounting for 82 percent of attacks.

Organisations are wising up to the extent of this threat. For example, Gartner estimates that cyber security awareness training will be worth $10 billion by 2027 while a 2021 GOV poll found that 20 percent of UK businesses have tested employees as part of their cyber security education programmes.

Yet is better education enough? With the cost of cyber crime set to hit $10.5 trillion by 2025, the answer is most probably ‘no’. More must be done to mitigate the growing risk of attack.

It’s time to manage identities

In today’s increasingly digitised world, individuals’ digital footprints span numerous devices, applications, tools, and platforms, with each instance generating a unique digital identity. In a work environment, this means that one employee could have dozens of identities linked to them. The same is true for non-humans, including bots. Keeping track of this sprawl is an enormous undertaking, but if it isn’t adequately managed, organisations will face a heightened risk of attack or non-compliance.

Identity Access Management (IAM) enables organisations to mitigate these risks. It breaks down into two interconnected branches, which together govern how users and identities interact with information, tools and applications across internal systems.

The first branch is identity management. An ‘identity’ can be anything from a person, an object or a code that interacts with information. Each should be assigned a level of privilege, and will require authentication to ensure the person or machine behind the identity is who the organisation believes it to be. A robust identity management solution should be able to scale to cope with the proliferation of identities within the organisation, and should make it easy for admins to add and remove identities as people join and leave the company, or as technology is deployed or decommissioned.

Furthermore, each identity will depend on set resources to do their job or complete their tasks. This means organisations need to ensure that only authorised identities can access those files, applications or services. This is the second branch of IAM: access management.

This concept is well illustrated using a school’s infrastructure. Pupils, teachers and administrators all utilise different resources during the school day. Rather than authorise each unique identity individually – a process that is onerous and prone to error – they can be grouped according to their roles, the resources they need to access, and the level of access they need for each resource. For example, while teachers and pupils will need access to teaching materials, administrators and teachers will need to view and/or edit attendance data, report cards, exam results, and more. It makes sense in this set up for certain roles to require access to confidential information that should not be accessed by others. Even though identities overlap, access rights are unique. 

While this is a simple use case, the very same principles apply in any organisation. Access management helps create and define groups, allowing the users and bots to access what they need, and nothing more.

Beware of privilege creep

During their employment at a company, users often accumulate privileges. As they progress through a company or are brought onto new projects, they will be granted access to new applications and data sets, often on a short-term basis. The issue here is that it is easy for organisations to lose track of when this access should be revoked, leaving users with access to far more than they need.

Privileged Access Management (PAM) enables organisations to curtail user privileges and ensure the right people have access to the right resources, for the right amount of time. It systematically protects sensitive information, systems and applications, by providing just-in-time (JIT) access, rotating credentials and by monitoring privileged activity. These tools often enforce ‘least privilege’ – limiting access to the bare essentials.

Raising security awareness

While this technology can certainly assist in preventing malicious as well as accidental identity-related security breaches, educating the workforce should nevertheless remain a key component in every organisation’s cyber security strategy. While employees may care about corporate data, they might not be aware of the steps they need to take in order to secure and protect it.

To combat this, companies need to run education programmes that instil individual responsibility. It’s also important to get rid of the negative connotations around popular cyber security concepts such as ‘Zero Trust,’ which comes with the tagline “trust no one, verify everything.” There’s a fine line to tread between usability, security and trust, and it is important not to go too far with surveillance technologies.

Insider threat programmes that focus on monitoring for risky behaviour are a good compromise here. Risky activity – or users – can be identified based on multiple factors, and training programmes can be created that address these specific use cases.

To err is human, but it is important to remember that employees build businesses and contribute to their long-term growth and success. Rather than place the onus on them to be cyber aware – and blame them when things go array – they require education about the risks they could face, and they need to work within a framework where identities are centrally managed and controlled. Then, even if they do make mistakes, their errors won’t expose their employer to any unnecessary risk.

An image of , News, Mitigating human error security risks

Chris Owen

Chris is currently responsible for helping to drive Saviynt’s product innovation, roadmap, go-to-market messaging and competitive intelligence.

He has acquired a wealth of experience in Identity & Access Management (IAM) and Privileged Access Management (PAM) over a 15-year career in various technical and leadership roles at Quest / One Identity, CyberArk, BeyondTrust and Centrify.

Chris began his career as a technical lead of one of the largest transformation projects in Europe at that time.

A New Journey to the Cloud

Don Valentine • 23rd January 2023

ERP implementation has changed. And for those companies facing the 2027 maintenance deadline for SAP ECC 6, that is good news. In today’s cloud-first, ‘adopt not adapt model, there are no more white boards. No more consultants offering to customise software to meet any business need. And no more long drawn implementations – followed by...

Travel industry, ‘check-in’ on cart abandonment

Andrew Armitage • 23rd January 2023

People are not loyal to travel brands now – they can’t afford to be. With the right deal and customer experience, there is an opportunity to capture the huge number of customers who will be shopping for their summer deals this month and beyond.

Five Benefits of Cloud-Based Test Automation

Adil Mohammed • 17th January 2023

Test automation has increased in popularity in recent years, however, previously, software has been hindered by a slow pace and an inability to scale with companies at every stage of growth. These challenges became increasingly apparent during the Covid-19 lockdowns when workforces were forced to move almost fully remote. Right now, we are still adjusting...

Five Benefits of Cloud-Based Test Automation

Adil Mohammed • 17th January 2023

Test automation has increased in popularity in recent years, however, previously, software has been hindered by a slow pace and an inability to scale with companies at every stage of growth. These challenges became increasingly apparent during the Covid-19 lockdowns when workforces were forced to move almost fully remote. Right now, we are still adjusting...

Protecting Data Irrespective of Infrastructure

Simon Pamplin • 16th January 2023

The cyber security threat has risen so high in recent years that most companies globally now accept that a data breach is almost inevitable. But what does this mean for the data protection and compliance officers, as well as senior managers, now personally liable for protecting sensitive company, customer and partner data?

Protecting Data Irrespective of Infrastructure

Simon Pamplin • 16th January 2023

The cyber security threat has risen so high in recent years that most companies globally now accept that a data breach is almost inevitable. But what does this mean for the data protection and compliance officers, as well as senior managers, now personally liable for protecting sensitive company, customer and partner data?