The 7 Causes of Human Error Data Breaches
In the realm of cybersecurity, it is well-known that human error is now the leading cause of security breaches. In fact, more than 90% of data breaches are now the result of human mistakes and scams that directly target professionals – not their firewalls. Part of this is that technical cybersecurity has become so advanced that it’s more worthwhile for hackers to target people instead of software defenses. Firewalls, encryption, virus scanning, and network monitoring all make a whole lot of work for hackers who want to get in the old-fashioned way. But people, people can be tricked, scammed, spoofed, and employee access is so much more direct – and likely to succeed without a great deal of technical skill.
In other words, the bar is lower for targeting people instead of firewalls. Hackers of less skill (and greater manipulation) can tackle a social hack far easier than they can crack a cutting-edge security system. So we know why hackers target human error breaches. But with so much knowledge, with so many news stories about these breaches and how they happen, why do they still occur? We know that most professionals are reasonably cautious about getting scammed and statistically, not everyone who gets socially hacked can be foolish, so what’s going on?
What are the real causes of human error data breaches? Let’s dive into the realistic reasons why professionals get phished, infected, and otherwise hacked.
1. Inexperience of Social Hacking
Naturally, the leading cause of falling for a social hack is inexperience. Usually, we phrase this as “Training is the best way to prevent social hacking”. But from the other side, inexperience is the cause of hacks being successful. Let’s say you never heard of the fake customer service scam. This is one getting a lot of play, recently. Maybe your “bank” emails with an “account problem”. You might be inclined to answer questions and click links without second-guessing.
Experience is what keeps us on our toes. For many, it’s a long history on the internet – sussing out what is true or false. Many of us have had a dozen or more of our own “Nigerian Prince” emails to disregard at our own free will. A few of us are survivors of clicking the wrong email at the wrong time, and the aftermath that caused. Others were trained to identify these scams – and retained that training – so they borrow from the experience of others.
But in the billions of global professionals, there are still millions who have neither the personal or training experience to stop themselves from being socially hacked.
2. Unavoidable Traps
The next most common cause is traps that can’t be avoided with experience or training. Often, these are the phishing-style hacks that involve some software capability on the part of the hacker. For example, a compromised website with a spoofed login page can steal dozens of logins before the breach is caught.
While human action – entering a login into the wrong page – is the cause of the breach, these skirt practical ability to detect and avoid being phished and therefore remove the ability to choose not to be hacked. Other examples of an unavoidable hack usually feature the hacker getting between a user and the platform they are using. They take advantage of human interaction without giving away clues to the ruse.
3. Effectively Convincing Scams
Not all scams are easy to spot. We all know not to send money to strangers, but social hacking is getting far more sophisticated than the old Nigerian Prince trick. Even people who have experience, who are trained, and who stay on their toes about security decisions can be fooled with the right scam.
This might mean creating or taking advantage of a crisis so the victim is distracted, or it might mean effectively impersonating a friend, loved one, or coworker. It might even mean using a legitimate (stolen) account of a known contact. But every now and then, hackers are good enough to fool even the best.
4. Security Gaps in the Stack
Another cause of human-triggered data breaches is actually a software flaw. Consider how a tech stack must work together to create a fully secure system. If any of your tech stack creates a gap in security, then user activity can potentially expose that gap for a hacker’s exploitation. For example, a hacker may use social hacking to trick an employee into sending information through your least secured cloud platform. If that platform or the data channels are already compromised, this could expose data even thought he employee had no reason to assume that it would.
5. Distraction and Distress
Distraction is the leading reason why savvy, experienced professionals can sometimes be caught out by otherwise obvious scams. When someone is distracted or distraught from an unpleasant situation, they tend to check their emails a little less carefully before clicking on a resolution. Deadlines, reorganization, and family tragedy all create the kind of distraction that hackers can use to lower the difficulty bar on fooling their fellows.
Recently the COVID crisis has become the distress-target-of-choice, as hackers have picked up a “popular” trend of spoofing aid services and taking advantage of the need so many families are experiencing right now.
6. Muscle Spasms of the Mousing Hand
Of course, there are always a few hacks where no-one was fooled and no-one would have clicked – if not for an involuntary muscle spasm. Also known as a mis-click. We’ve all been there. The mouse clicks 2-5 times under your finger totally by accident. Usually, this just results in a double click or a double-right click with all their effectiveness. But on the same web page as a hacked link, a fingertip muscle spasm can be dangerous.
Every now and then, professionals accidentally click on a baited link not out of curiosity or foolishness, but sheer normal clumsiness instead. Most of us have triggered something accidental with a mis-click, whether it was accidentally launching Microsoft Paint or clicking an infected link without meaning to.
7. Inattentiveness at a Critical Moment
Finally, the last prominent cause of human error data breaches is good old inattentiveness at that critical moment. There may or may not have been orchestrated distraction, or maybe the professional was just on the phone or late for a meeting at the moment they opened a social hacking email. Sometimes, we just aren’t exercising the right amount of care with every single message, phonecall, or new website. We’re not always looking for those tiny tell-tale signs of a suspicious contact or a hacked site. And that is what hackers are counting on – that percentage of professionals who, even if they know better, just aren’t attentive at the moment they are phished.
Here at BWS Technologies, we specialize in helping companies prevent social hacking data breaches. There are software protections like email filters and link scanners in addition to training methods and hacker drills. Together, we can close the gap. Contact us to further explore how to protect your brand and team from social hacking – whatever the cause.