The human factor is human interaction with technologies and systems. However, there are risks involved as human interactions are prone to errors that can compromise the confidentiality, integrity, and availability of systems. This brings the question: should there be more employee training or additional technologies to help combat this problem?
What is The Human Factor?
Many IT and Cybersecurity professionals agree that the human is the weakest link in information system security. This allows for information to be exfiltrated and computers and servers to be compromised. The human factor is human interaction or input into a system. For example, a website needs JavaScript to implement functions that CSS and HTML cannot do alone. JavaScript is a programming language that is widely used on almost every website. People need to type the code, or it will simply not exist on the website. Programming takes human interaction to perform, which qualifies this action as a human factor. However, human interaction and factors often lead to risks.
Risks of Human Factors
Within a company, employee actions typically lead to a cybersecurity incident. In 2017, 85% of all U.S. organizations were hit with some form of phishing attacks launched worldwide (Gatlan, 2019). A lack of employee training can hurt companies involved in attacks. Data can be compromised from just one employee’s account. This account could be a standard employee account or a high privilege account that an administrator owns which poses a security risk. Phishing requires human interaction to be done, compromising accounts, and compromising data. Phishing is only one type of social engineering attack that companies face. Some social engineering attacks can be face to face. An attacker can pose as an employee or higher official to get information that otherwise they could not have got a hold of. The human factor accounts for $400 billion globally per year and 35% of data breaches (Walker et al., 2020).
Employee Training
According to Kaspersky, careless and uninformed employees make up 53% of the top contributing factor for virus and malware infections on company systems. In addition, phishing and social engineering contribute to 36% of virus and malware infections (Kaspersky, 2017). A lack of employee training puts a company and data confidentiality, integrity, and availability at risk. Training, tests, and communication should be the number one priority to mitigate human errors. Proper training should include the signs of phishing in emails as well as face-to-face interactions. Tests should be conducted according to company policy, such as once a month. Constant training and tests reinforces cybersecurity policies. Companies should also look to gamify the tests to encourage employee vigilance and participation. Lastly, communication should be established. For example, an employee telling their boss that they received a phishing email. An investigation can be conducted to see if any other employees received the email. This helps determine the threat level of the email and measures can be put in place to protect the company, employees, and customers.
Additional Technologies
Additional technologies can be added to a company’s IT infrastructure to combat human error. Phishing and emails with malware attached can be filtered out with filtering algorithms and artificial intelligence. Google has implemented this by scanning attachments, links, external images, and protection against spoofing and authentication (Google, 2022). Firewalls can be used to filter malicious traffic and prevent employees from downloading or visiting a malware-infected website. DNS sinkholes can also be used to ensure that employee computers cannot reach the malicious server hosting a phishing page or malicious executable. However, technology can be expensive to implement and there is still human interaction to set up firewalls, DNS sinkholes, etc. This means that there is still a risk of human error in the code or setting-up process of the technology.
Conclusion
Human factors provide risks that companies have to take into consideration when setting up their cybersecurity program. A lack of training and technology leads to a compromise of confidentiality, integrity, and availability of data. Employee training and technologies should be used to mitigate potential risks of human error. Cost is an important factor when considering which side to approach. Companies should evaluate and decide whether to prioritize one over the other or have an equal amount of training and technology in their cybersecurity program.
References
Gatlan, S. (2019, April 16). Over 80% of All Phishing Attacks Targeted U.S. Organizations. BleepingComputer. Retrieved November 15, 2022, from https://www.bleepingcomputer.com/news/security/over-80-percent-of-all-phishing-attacks-targeted-us-organizations/
Google. (2022). Advanced Phishing and Malware Protection. Google Workspace Admin Help. Retrieved November 15, 2022, from https://support.google.com/a/answer/9157861?hl=en
Kaspersky. (2017). The Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within. Kaspersky. Retrieved November 15, 2022, from https://www.kaspersky.com/blog/the-human-factor-in-it-security/
Walker, E., Witkowski, D., Benczik, S., & Jarrin, P. (2020). Cybersecurity – The Human Factor. CSRC. Retrieved November 15, 2022, from https://csrc.nist.gov/CSRC/media/Events/FISSEA-30th-Annual-Conference/documents/FISSEA2017_Witkowski_Benczik_Jarrin_Walker_Materials_Final.pdf
