End-user negligence, the one block that makes it all fall!

Mistakes are at the core of human experiences. Despite highly advanced and well-managed technological solutions, human errors are inevitable in any organization.

In a study reported by IBM, 95% of the data breaches occur due to human negligence. One of the prominent examples of this is the Wanna Cry malware outbreak that resulted in an overall loss of $4 billion to businesses spread across the globe. The Wanna Cry ransomware attacked the devices using Microsoft Windows operating system. It encrypted the data in the device and asked for a ransom in the form of Bitcoin (a cryptocurrency).

Today, there is digital exposure in almost all aspects of our day-to-day lives. The scope of online business components is widening tremendously and unfortunately, so is that of digital security risks. Still, many human errors are overlooked when it comes to cyber security. This might be due to a lack of cyber security awareness and/or human negligence. Employee behavior that violates the ideal security practices can also lead to data breaching disasters. For instance, many of the employees skip turning off or locking their system when they have to be away from it.

Above all, the pandemic has employees working from their homes. Remote working culture has seen people go on ‘workations’ i.e. travel to combine business with leisure. Imagine the risk of end-user negligence when they are not working from the company premises!

Here is a comprehensive article that covers how end-user negligence is the one block that can make it all fall, its consequences for enterprises, and how smart, tech-enabled OS-based solutions can address and lower the scope of end-user negligence.

Real-world data breaches caused due to human errors and/or negligence

To begin with, let’s talk about some incidents of data breaches that have occurred due to human negligence.

1. Equifax – Personal data leaked

The data breach at Equifax, a consumer credit reporting agency occurred in Spring 2017. The company was using Apache Struts (third-party software) for handling their customers’ credit disputes. They didn’t upgrade to that version of this software which fixed some security issues and which had been released already. Hackers exploited a vulnerability in this software to breach the data.

During this incident, the hackers were successful in accessing the internal servers of the company. It took around 76 days for Equifax to identify the breach. Till then, the hackers were able to access confidential data like social security numbers, addresses, and even the driver’s license numbers of over 143 million American residents.

Faults:

1. The employees in charge neglected to patch the security hole in the open-source software (Apache Struts) since it would have been labor-intensive with potential downtimes.
2. The database content was open to general access for trusted users. Had this been restricted, the attackers might not have been able to move swiftly through the data.

2. Strathmore College – Student records leaked

This data leakage occurred in August 2018. Despite the professional training offered for the best security practices, one of the employees published the medical records of over 300 students by accident. The data included information about their mental health conditions and medications. These records remained published on the institute’s intranet for 24 hours.

Faults:

1. Weaker data encryption
2. Employee negligence towards security practices

3. Veeam – Customer records leaked

Veeam, a company working for data recovery and backups faced a data breach in August 2018. Almost 200GB of data was exposed during this incident. This unprotected database was a result of a lack of password protection.

Faults:

1. Lack of data encryption
2. Unprotected database (human negligence)

4. Marine Corps – Personal data leaked

This data breach occurred in 2018 when Defence Travel System (DTS) in the US sent out unencrypted mail to unauthorized emails. It went to the account of civilians. The personal information of over 21,500 sailors, marines, and civilians was exposed during this activity. It included their bank account details, emergency contacts, and social security numbers.

Faults:

1. Weaker encryption of data
2. Improper checking of the email list

5. Target – Card data leaked

Cyberattackers got access to Target's computer gateway in November 2013 using credentials stolen from a third-party vendor through phishing. (Unsubstantiated) Sources claimed that the vendor used a free version of anti-malware that provided no real-time protection. The attackers got access to a customer service database, put malware on the system, and acquired confidential details. These included names, phone numbers, email IDs, debit and credit card numbers, verification codes, etc.

Faults:

1. The monitoring software employed by Target was able to detect the intrusion at a preliminary stage and subsequently alerted the Target staff but no action was taken to mitigate the problem.
2. Unmonitored vendor systems and lack of cybersecurity awareness.

Reasons behind data breaching

1. Employee errors

Employee errors can occur due to negligence of the security procedures. Mostly, this is responsible for data breaching in the companies. These errors can include the use of a weaker password, using the company’s device on a personal network, avoiding turning off the work device after office hours, using private devices on the company's network, inserting USB and other unprotected storage devices in the company’s system, and many more. Thus, despite the advanced IT infrastructure and awareness campaigns, employees tend to make such errors that can lead to data leakage or misuse.

2. Expired security licenses

Information security specialists across the globe constantly study the exploits by hackers. Based on these already identified exploits, the experts find a way to secure your system against these vulnerabilities. These are in the form of upgraded versions of the software, and security certificates. If these aspects go unfixed at the company’s end due to the negligence of the employees, the hackers can easily access the data.

3. Deliberate data abuse by the employees

Human errors can mostly be classified as innocent mistakes. However, some employees tend to deliberately misuse the company’s data for personal gain. Such damages are impossible to prevent. However, giving limited access to data to a single user can ensure minimal loss of data in such scenarios.

4. Theft of the company’s device

Physical theft of any device that contains the company’s confidential data can also result in the loss/ leakage of data. The majority of these thefts are opportunistic, making them difficult to anticipate. Employees ought to notify the IT admins as soon as they find that their devices are stolen. However, they fail to do that immediately. For instance, when they lose their device on Saturday, they might decide to inform the admin on Monday. These 48 hours can create a window for cyber attackers to penetrate into the company’s confidential data.

Why do most of the data breaches occur due to employee negligence?

Employee negligence can be categorized as skill-based and decision-based errors. Skill-based errors occur due to minor lapses. Here, the employee is aware of the process but fails to do that due to minor mistakes that can have devastating effects later on. Decision-based errors occur when the employee makes a wrong decision either due to a lack of knowledge and information or due to carelessness.

Here are some common human errors that occur in the organization:

Making a wrong delivery

Many times, employees tend to share some confidential information like passwords or security keys to incorrect destinations. This might reach people outside the organization or the ones inside the organization who are not supposed to access it.

Weak passwords

Employees sometimes tend to set weaker passwords for their systems and confidential accounts. Some of them also jot down passwords on their notes or in unprotected documents. Setting the same password for multiple accounts is another negligent trait amongst people. If these passwords are accessed by hackers, they can easily reach the company’s sensitive information.

Negligence in patching

Any new exploit or vulnerability, when discovered by the software experts, is immediately worked on. If the users fail to install the upgraded security versions, hackers might take advantage and use the exploit to reach the confidential information in the system.

A loophole in the physical security

In the middle of digital security, we all miss out on the physical security aspect. Such errors are also common where an unauthorized person gets access to the passwords and security keys, or the device itself.

How to minimize security risks due to end-user negligence?

Employees should never be a weak link to allow data breaches in the company. Hence, the first step is to reduce opportunities for faults by educating them and making them aware of the security aspects. However, as human errors can’t be avoided completely, it is recommended to restrict access to IT hardware and software at the individual as well as department levels.

For this, businesses require a robust and well-managed IT infrastructure. Evren is an Operating System that offers a comprehensive range of capabilities to ensure the security of a corporation. Here are some of the capabilities that make managing end-user IT easier than ever before:

a. Full disk encryption

Full disk encryption protects the data of the entire device. This can act as the first line of defense during physical theft of the device.

b. URL filtering

This feature is used to blacklist/whitelist web domains to restrict the users’ access to certain sites so that the employee doesn’t land on malicious content online. Thus, Evren takes an extra step to prevent cyber attacks!

c. Log management

This feature is used for monitoring any suspicious activity on the device and helps organizations to detect and respond to threats. Evren parses all device logs and converts them to a readable JSON format that can be used by any SIEM or monitoring system.

d. Certificate management

Managing device certificates can be automated using this tool. It functions for the deployment, removal, and management of the security certificates (SSL and other device and network certifications).

e. Asset tracking

Using this feature, the admins can track the devices and view the details of their apps, and configuration. It can also keep a record of installed patches so that the system doesn’t have an exploit that can be used to enter the confidential space by the hackers.

Apart from these, Evren also offers plugins for network management, automated monitoring and reporting of the device activities, and many more to ensure that employee errors are minimized.

f. Application Sandboxing

The Operating System runs every software/app in an isolated container (sandbox) with only the resources needed to run it. One sandbox can’t access another one. Thus, if one app/software gets infected or is compromised due to an attack, the attack remains confined to that app itself rather than spreading to the different apps on the device. Evren uses this concept of application sandboxing in order to prevent multiple apps from getting infected thus avoiding the entire system from getting compromised.

g. Central Device Management

Evren offers an exclusive central device management plug-in that can help the IT admins to monitor and manage all the mobile/ laptop/ desktop devices centrally. Especially in the work from home/ remote working scenario, this has been a blessing for the IT admins as they can audit the device no matter where it is being used.

Conclusion

Despite having a well-configured IT infrastructure, data breaches occur in businesses all over the world and many of those are a result of employee negligence or errors. Above all, the remote work culture has increased the risk of information and cyber security breaches.

With increasing exposure to cyber threats, it is critical to maintain a tight eye on every device, company asset, and the employee actions taken therewith. Businesses must have zero tolerance for end-user negligence and irresponsibility.

Even after the constant education and awareness campaigns, employees tend to make mistakes knowingly or unknowingly. This demands a comprehensive system that can manage the authentication of devices, networks, and activity of the employees. Evren's Operating System includes a wide range of tools and plugins that can assist organizations in ensuring security and reducing data breaches caused by end-user negligence.