While we might be quick to blame ineffective security appliances and applications as the reason for today’s high-profile cyber attacks, the reality is that human error is cited as the leading cause of security incidents. If we want to defend organizations against growing cyber threats, it’s not just about spending more money on security solutions—our employees need to be trained on the implications of their mistakes and how to defend themselves from their own worst impulses.
First, here are some figures: Many security professionals consider the Verizon Data Breach Investigations Report to be ultimate industry barometer. According to the 2016 edition of the Report, “Miscellaneous Error,” described as unintentional actions which weaken the security of a specific system, was responsible for over eleven thousand incidents last year. Of these, nearly 200 incidents resulted in the exposure of sensitive information to unauthorized third parties.
To be specific, Miscellaneous Error is dominated by three subcategories of error. There’s misdelivery, which is what it sounds like: “Oops, that email wasn’t supposed to go to this person.” This occurred in 41 of 197 confirmed breaches. Publishing errors occurred 18 times. Misconfiguration—which occurs when a stack of confidential information becomes available on networks where it’s supposed to be invisible—occurred 18 times. Lastly, there’s improper device disposal, which is what happens when you throw a laptop in a dumpster without wiping its hard drive first.
It might be difficult to think of user error as a serious problem, especially when specific incidents in a given sub-category number a few dozen at most. The truth, however, is that even a single data breach can result in the exposure of thousands of records. For example, a misdelivery error, in which two healthcare employees improperly emailed documents to each other, resulted in the potential exposure of nearly 91,000 records.
That’s not the worst news. The DBIR has an entire extra incident category, separate from Miscellaneous Error, which just describes data breaches stemming from lost or stolen devices. Last year there were nearly 10,000 incidents, resulting in 56 breaches. Most of these breaches occur when lost devices aren’t protected by full-disk encryption. Again, a single breach can affect thousands of people, as in an event where a stolen laptop from an Oregon insurance co-op lead to the breach of 15,000 records.
It’s difficult to prepare and protect against human error. There’s no way around it—humans are prone to making inexplicable mistakes. Nearly 50% of discarded USB drives will get picked up from off the ground and used by various unsuspecting strangers, for example. Still, by stepping up IAM controls, administrators can cut down on the chaos.
For example, by using PlainID, access to corporate data will be given or denied based on the current circumstances. It is determined dynamically and in real time, based on user attributes, environmental attributes (time, location, etc.) and events. In addition, access is determined up to the resource and action level. For example, if as the Head of IAM, you decide that access to data is limited to pre-approved devices only from the office, or depends on additional environmental attributes, you can make that decision. If you want to ensure that certain employees can’t use email attachments over a certain size, you can make that call as well. Locking a potentially lost or stolen device is child’s play.
It can be hard to prevent your users from making bad decisions with data, but with PlainID, you can prevent those decisions from rebounding on your company. In order to see more about how PlainID is changing the face of authorizations, contact us today: