Imagine the following scenario: You’re an employee at a financial services firm. You sit down to your desk, first cup of coffee in-hand, and notice an email from your firm’s CEO. You click on the email. The CEO is asking for sensitive customer information. It’s urgent, she says. Wanting to make a good impression, you send it over right away—and fail to notice that the email didn’t come from a company email address.
Each day, more than 3 billion fake emails are sent. When bad actors pose as reputable entities—whether the CEO or an important client—to gain access to sensitive information, it’s called phishing. Phishing attacks continue to get more sophisticated and represent one of the most common ways human error can compromise a company’s cybersecurity.
Good old-fashioned carelessness can also lead to cybersecurity incidents. Perhaps an employee sends sensitive information in an unprotected format or to the wrong person. Or maybe they use and download unauthorized software, in turn letting malware in.
Whatever the case, according to Verizon’s 2022 Data Breach Investigations Report, over 80% of cybersecurity breaches involve human error. The question, for financial services organizations, is how to minimize it.
Here are three steps organizations can take to minimize the human error threat.
1. IMPLEMENT CONSISTENT TRAINING.
Persistent, ongoing training is the best way to make sure your employees understand cybersecurity risks—and take steps to mitigate them in their day-to-day work.
Many employees have simply never thought about how much risk can be created by sending sensitive information by email. But while email may seem like private one-to-one communication, messages can easily be forwarded. Similarly, employees may be completely unaware of phishing attacks or be too busy to pay close attention to the emails they’re receiving.
Trainings can help change that. Through controlled phishing simulations, for example, you can test employees’ responses to phishing attacks and provide in-the-moment security education. Continually keeping employees apprised of corporate security policies is another way to keep them informed and vigilant.
Holding an annual training may be sufficient to fulfill regulatory requirements, but it’s not going to change employee behavior. Trainings must be consistent and ongoing. Consider holding trainings at least quarterly.
2. UNDERSTAND EMPLOYEE NEEDS.
Human error, of course, isn’t intentional. Often, cybersecurity is compromised by employees with the best of intentions. They are just trying to get the job done.
Thus, while it’s important to implement cybersecurity protocols, it’s equally important to ensure those policies don’t impede productivity. If protocols are put in place that hinder employees’ ability to serve customers, employees are likely to find workarounds. To prevent human error, IT must engage with stakeholders throughout the organization to understand what people need to do their jobs and what gaps currently exist—and find a happy medium that balances good security with access to applications and information.
When employees do make mistakes related to cybersecurity, use it as a learning moment. If people fear making cybersecurity mistakes—perhaps because they’ve seen others get punished—they’ll be less likely to bring them forward. This will only make your cybersecurity posture worse.
Remember: most people are trying to do the right thing. When mistakes arise, discuss it with the employee and their manager, offering constructive feedback for how to do better in the future.
3. CHOOSE THE RIGHT TOOLS.
Implementing cybersecurity best practices, from encryption to the principle of least privilege, can also help minimize human error. Two tools that are particularly useful in this realm are Data Loss Protection (DLP) and Azure Information Protection (AIP).
DLP prevents the illicit transfer of data beyond your organization’s walls via deep content inspection and constant monitoring. It ensures that any personal information that is stored within your organization does not leave without the proper authorization. This also helps organizations comply with regulations like GDPR.
AIP, meanwhile, is a security measure that lives within a particular document. With AIP, documents can be encrypted and watermarked before they are shared. Additionally, their sharing and editing capacities can be controlled, ensuring only specific people can open the documents—even if they’ve been accidentally forwarded to a non-approved party. The plug-in also allows access to be revoked.
The bottom line is that employees are never going to stop being human. It’s inevitable that mistakes will be made. The goal is the minimize the frequency of those mistakes and the impact they have on your organization. With frequent trainings, an understanding of employee workflows, and the right cybersecurity tools, sensitive customer data can stay protected despite human fallibility.
