The Human Factor in Security

Information about individuals is used by businesses to provide customers with a huge array of targeted goods and personalized services that consumers have come to expect. However, if it lands in the wrong hands, this same information can result in harm to the very individuals it was meant to serve. The protection of an individual's personal information has business implications that extend beyond the privacy of any one individual. Private information relative to certain businesses and industries is protected by law. For example, the Health Insurance Portability and Accountability Act (HIPAA) laws protect private medical information. Many states have enacted their own laws, and the federal government is regulated by the Privacy Act of 1974. Legislatures are increasingly responding to calls for greater protection of private information, and stories of improper disclosures of large volumes of private information receive prominent media attention. At present, there is no broad, general federal law protecting the privacy of customer information; most protections are aimed at particular types of information (such as medical or student records, for example) or particular types of businesses (such as medical providers, banks, and financial services businesses, for example). Customers expect their information to be protected and businesses that recognize the need to make privacy part of their business strategy, are ahead of the game. Many companies have gone to great lengths to protect information using technological advances. However, the ability of a business to protect private information it collects as part of its business is only as strong as its weakest link - the human factor - something that technology just can't overcome.

We all make mistakes. We are only human, after all. Unfortunately, when it comes to cyber security, that’s also kind of the problem. The human factors in cyber security are perhaps the biggest challenge when building an effective threat prevention strategy.

Human error is the leading cause of data and security breaches. According to a 2014 article in Venture Beat: "95% of successful security attacks are the result of human error".  It was a person, lured by spear phishing, who opened the gates to the Democratic National Committee attack, as well as major hacks against Snapchat and the health care industry - to name a few examples of that human factor.

Socially engineered threats circumvent many cyber security systems by preying on human error. They use psychological manipulation to push users into performing an action or providing information. In the case of email attacks like phishing, this often involves clicking on an embedded link, downloading malware like ransomware or offering passwords and financial authorization.

In other cases, something as simple as a phone call can be used to collect your personal information.

This is how hackers hack you using simple social engineering (YouTube Video).

What can You Do?

If you run a business or organization that maintains personal information about individuals, it is essential that anyone with access to that information is receive regular training on how to safeguard this information, and the tactics that criminals may use to attempts to access it (i.e. Social Engineering).

Put steps in place to alert users to the possibility of social engineering whenever they access sensitive information and limit the amount of information that employees can access to the minimum amount required to do their jobs. 

Warn employees against making these common mistakes:

• Discussing sensitive information with "clients" without verifying their identity
• Failing to report a lost smartphone, tablet or laptop
• Leaving documents containing sensitive information on desks
• Using (and losing) unencrypted USB drives
• Sending unsecure emails
• Sharing passwords
• Using the same password for all apps
• Using obvious passwords (i.e. "Password", birth date, child’s name, "123abc", etc.)
• Storing passwords within reach of the computer
• Failing to report suspected illegal activity

As an individual, it is important to limit the amount of information that you provide to any business or organization. If you are told that your personal information is ‘required’ be sure you understand why it is needed, how it will be used, and what will be done to protect it from loss or compromise.

• Don’t give out your personal information over the telephone. This is especially true if you did not initiate the call.
• Be aware of phishing, vishing, and other attacks designed to gather your personal information.
• Never click on links in unsolicited / unverified e-mail.
• Use strong passwords and 2-Factor Authentication on all of your accounts.
• Safeguard Your Social Security Number
• Make sure that all of your personal communication is encrypted, using end-to-end encryption.

We will probably never eliminate human factors as weaknesses in security, but by being aware of these weaknesses and taking steps to address them we become that much more of a hard target.