Nature isn’t always kind to IT. Floods, tornado, hurricanes, wildfires, squirrels…there are any number of natural disasters that can befall our equipment and data. But ‘Mother Nature’ isn’t the only nature we need to guard against. Human nature can be just as destructive, especially when it comes to IT security.
Browsing through my morning IT security briefings, I ran across an article from the Disaster Recovery Journal that claimed human error is the root cause of about 52% of security breaches.
That got me thinking…Isn’t human error the root cause of all security breaches? I mean it’s not like our systems are intelligent enough to make their own mistakes. (Yet.) Anything that goes wrong is ultimately the fault of some human somewhere.
3 Ways “To Err is Human’
Immediately after making that statement, the DRJ article mentioned the bane of every CISO’s existence: phishing. So, when they say that human error is the root cause of more than half of all security breaches, they appear to be talking about human error #1: An end user in the organization does something they shouldn’t.
Succumbing to a phishing scheme is a common example, but this might also include sharing information with an unauthorized individual (a real problem in healthcare), leaving an unsecured/unencrypted laptop unguarded, posting passwords on sticky notes, or accessing an infected website. There are dozens of ways employees unwittingly undermine our security efforts every day.
That leads me to human error #2: Assuming that human nature can be overcome. As IT security professionals, we have to accept the fact that to err is human. I’m not saying we should spend less time educating employees on their role in ensuring the security of company systems and data. Most organizations should probably spend more! What I am saying is that we should also eliminate the potential for error as best we can.
In addition to educating your employees, there are a number of additional actions you can take, including:
- Ensuring all programs are up to date with the latest security protocols activated. (If you’re leaving software and system updates to your employees, you might be overestimating human nature again.)
- Implementing the latest malware and anti-virus protection applications.
- Ensuring all your mobile devices are password protected and the data is encrypted in the event the device is lost or stolen.
- Setting up a VPN, which encrypts communications between your employees’ mobile devices and your network.
- Enabling biometric identification as opposed to requiring ultra-strong passwords that employees need to change every six months. (The latter is just asking employees to write down their passwords on sticky notes.)
- Deploying a SPAM filter on your email system to cut down on the number of phishing attempts that reach your employees’ inboxes.
Finally, speaking of human nature, we have human error #3: Not recognizing our own limitations. IT professionals like to be the experts. In fact, we’re expected to become experts if we aren’t already. If you ask the company why they hire an experienced IT professional, they’d probably say, “Because they were an expert in (fill in the blank).” This expectation makes it hard to admit when we’re not up to the job.
To be clear, that’s not saying any one of us isn’t smart enough to figure it out, but time is a huge factor in the errors IT professionals commit: We couldn’t find the time to address the issue of mobile security because we were too busy keeping the network up and running. We didn’t notice our systems had been breached because we were expanding capacity in our data center. We didn’t apply the latest security patch to our operating system because we were knee-deep in upgrading the ERP system. We didn’t realize we left an AWS cloud resource open to the internet because this is our first AWS deployment, and we haven’t had the time to learn all the ins and outs yet.
Only Humans Can Fix Human Error
In the same way that human error is the root cause of all security breaches, all IT security fixes are still the responsibility of humans. Yes, technologies such as SPAM filters and anti-virus/malware programs can help, but it’s up to the IT professional to deploy those technologies correctly.
It’s also up to IT leaders to admit when reinforcements need to be called in. Maybe the need is temporary, e.g., assistance with that first AWS deployment. Or maybe the need is more permanent, e.g., managing IT security because you don’t have the budget or headcount to get the job done in-house. Whatever it is, the power to fix the problem is still in your hands.
Let Us Know How We Can Help!
Connectria offers a wide range of individual services (e.g., DevOps support, Disaster Recovery-as-a-Service (DRaaS), cloud migrations, etc.) as well as more long-term services (e.g., remote monitoring, managed clouds, and security and compliance assistance.) We also offer the TRiA Cloud Management Platform, an all-in-one tool that provides visibility and control across all your cloud environments from a single console.
Reach out to one of our cloud advisors for a personalized discussion of your IT management needs.