Data is an important asset for companies in the modern era. Digital data, such as customer data, financial data, and company operational data, can be easy targets for cybercriminals. When data is leaked, it not only costs the company money, but can also damage the reputation that has been built up over many years. The average cost of a global data breach is $4.24 million per incident, according to a recent IBM report.
However, a fact that is often overlooked is that human behavior is the main source of data breaches, not sophisticated cyberattacks or malware. More than 80% of data breach incidents are caused by humans, according to data from Verizon's 2023 Data Breach Investigations Report. This shows that employee behavior in the face of cyber threats is also important, in addition to the technology used to protect data. In this article, we will discuss how human behavior plays a role as the main cause of data breaches. We will also discuss common mistakes that are often made and proactive strategies to prevent them.
Human error or negligence is the main cause of data leaks. This negligence can take the form of seemingly minor actions, such as sending sensitive documents to the wrong recipient or accidentally publishing internal documents that should have been kept confidential. In addition, phishing emails, which appear to come from a trusted source but contain malicious links, are one of the common mistakes that cause data leaks in many companies.
A study by the Ponemon Institute found that 24% of data leaks stem from human error; this includes lost devices, incorrect system configurations, and careless actions by employees. Although often unnoticed, these mistakes can be very dangerous.
Another factor contributing to data breaches is low employee awareness of cybersecurity. Many workers do not realize the importance of maintaining information security, especially in a world that is increasingly dependent on digital technology. Employees may not know what phishing or ransomware is, or how to protect data from cyberattacks if they are not properly trained.
The use of weak passwords is a common example of this lack of awareness. Many employees still use easily guessed passwords or even use the same password for multiple accounts, even though the company may have established a strong password policy. This allows cyber attackers to obtain important company data.
The risk of data leaks increases as more businesses allow their employees to work from home or use their personal devices. If personal devices are not properly protected, cybercriminals can gain access. For example, a Man-in-the-Middle (MitM) attack can steal employees' personal data if they access company emails or important documents from an unsecured public Wi-Fi network.
If Bring Your Own Device (BYOD) policies are not accompanied by proper security procedures, there is a possibility that data will be leaked. Unauthorized parties can easily access business data if it is not properly encrypted or protected.
Threats from insiders also include unintentional errors. Insiders may include contractors, business partners, former employees, or current employees who have access to personal information and intend to steal or leak it. The purpose of these actions can vary, such as financial gain, revenge against the company, or damaging the company's reputation.
Because perpetrators usually already have legitimate access to the system, insider threats are very difficult to detect. Violations by insiders can go undetected until it is too late if there is no strict supervision and early detection.
Read: Reducing Human Error Through a Cybersecurity Awareness Platform
Major data breaches caused by human error include the incident at British Airways in 2018. More than 400,000 of their customers had their personal data, including credit card information, exposed due to an error in their website settings. As a result, UK regulators fined British Airways £183 million.
In 2020, the UK government also experienced a data breach in the public sector. The government accidentally shared the personal data of more than 1,000 award recipients in a file available on their website.
The Cybint report shows that human error is responsible for 95% of data breaches. In addition, the 2023 Verizon DBIR study found that phishing attacks, one of the most common types of attacks that exploit human weaknesses, accounted for 22% of all reported data breaches. These figures show how important human behavior is in corporate security strategies.
Ongoing cybersecurity training is the first step in reducing the risk of data breaches due to human behavior. It is essential that this training covers topics such as how to spot phishing emails, why to use strong passwords, and how to safely access sensitive data on public networks. The Ponemon Institute claims that companies that implement cybersecurity awareness training programs experience a 60% reduction in data breach incidents.
In addition to providing training, companies must implement strong security policies and strict verification systems. One example is a policy that requires the consistent use of two-factor authentication (2FA) to access sensitive data, or a password policy that requires employees to change their passwords regularly. Access verification systems are also important to ensure that only authorized persons can access sensitive company information. Regular internal security audits can also help identify potential weaknesses in the company's security system.
Companies must use monitoring technology that can identify unusual behavior from employees to prevent insider threats or suspicious activities. For example, the security system must immediately issue a warning if an employee suddenly accesses data that is not related to their work or downloads a large amount of personal data.
An effective method for reducing human error is the automation of cybersecurity systems. Businesses can use automation to ensure that necessary security measures, such as data encryption or software updates, are performed consistently without human intervention. Since manual work often carries the possibility of error, this also reduces risk.
Read: How Behavioural Science Reduces Human Error & Improves Cyber Security
Human behavior is indeed a major factor in many data breach incidents. Although advanced security technology can help protect data, if employees are not aware or properly trained on the importance of information security, the risk of data breaches remains high. Therefore, companies must adopt a holistic approach, which includes cybersecurity awareness training, strong security policies, and automation of security processes, to minimize the risk of data breaches due to human behavior.