Insights and Updates

Understanding Data Security and the “Human Error” Factor

Reading Time: 4 minutes

Learn how to successfully avoid common data security pitfalls in your farming operation.

By Anwar Iqbal
Computer Vision and Machine Learning Project Engineer @ Hectre

 

With increased technological penetration in organisations, it has become imperative for companies to be aware of threats to data and how to protect it. Often, it is a simple lack of awareness and training amongst individuals in an organization that leads to compromise in data security.

What are the Human Factors, and How Do We Overcome Them? 

Various cybersecurity surveys mention human factors as one of the major causes for breach in data security. One of the reasons attributed to this observation is that technological factors involving machines are (as one would expect) more predictable and have a greater degree of control associated with them compared with people. Therefore, the need arises to mitigate the human factors associated with data security by identifying those factors, analysing the possible shortcomings, and finding ways to overcome them.  Let’s address some of the most common elements of human error in data security:  

  • Sticking to bad password habits: Passwords are still the most common security measure associated with authentication for a device or an account. Despite the importance of a strong password, employees reuse old passwords or update them using weak passwords (e.g. qwerty, password, 12345, 11111) or keep them on sticky notes for anyone to see. In order to overcome this, employees should be made aware of best password practices such as using alpha-numeric and special characters in their passwords. Consider using password manager software which encrypts the password and secures it. 
  • Social Engineering: This refers to psychological manipulation of individuals into divulging confidential information which could be used for committing frauds. Some of the ways in which the employees are susceptible to social engineering are:
    • Phishing Attacks: It is the most widely used way for hackers to gain sensitive information. The hacker sends an email with malicious links which appears to be coming from a trusted source. Once the individual opens and access those links the hacker has the ability to access his/her personal information. Spear Phishing is a more sophisticated type of phishing in which attacker sends highly customised emails to only a small number of potential victims and are more successful.
    • Reverse social engineering: This is a person-to-person attack in which the attacker convinces the potential victim that the individual has a certain issue with his/her network or computer or may have that issue in future. Once the victim is convinced and accepts the access to his/her system the attacker has all the access to the information.
    • To minimize the risk of social engineering employees should be made aware of cybersecurity not only at the time of hiring but also periodically and effectively. Make use of short videos and articles to make employees aware of how social engineering attacks work in real life.
  • Failure to update and secure privileged accounts: Privileged accounts have wider access to information and more authority or privileges to edit or alter data.  However, the security mechanism around such accounts is often weak. Principles of least privilege or principles of least authority should be employed when granting access to online accounts, allowing them access to only the specific data they need for work. IT admins should regularly update and create secure passwords for the privileged accounts. Separate administrative accounts and employee accounts should be setup for IT staff responsible for managing IT infrastructure, and usage of two-factor authorisation should be implemented wherever possible.
  • Access to corporate devices by unauthorised personnel: Devices issued to employees that are then brought home might be used by the family members of that employee.  This could result in accidental access or leakage of sensitive data, as well as the potential of malware being downloaded onto the device. In order to avoid this threat, corporate devices and accounts should be password protected, and two-factor authentication should be employed wherever possible. Organisations should have a data security plan which is known to all the employees, the implementation of which should be encouraged through leaders of the team.

What Should We Learn From This? To err may be human, but it doesn’t have to be the downfall of your data security Employee training, effective information security plans, and awareness of the implications of a possible information breach each play a crucial role when addressing the issue related to human factors in data security. Companies should include a human factors checklist within their analytical framework when analyzing cybersecurity threats, as this will promote better incident management. We may never completely eliminate the human factor corresponding to data security, but we can certainly mitigate it by periodic training, keeping employee knowledge and awareness current, and by having a strong cybersecurity culture in the organisation.

*Ahmed, M. and Litchfield, A.T. (2016).“Taxonomy for Identification of Security Issuesin Cloud Computing Environments”, Journal of Computer Information Systems, DOI:10.1080/08874417.2016.1192520