With increasing dependency on technology and digital systems over the years, societies and organisations have shifted how they function. The same technology that affords opportunities and interconnectedness to businesses to scale also exposes them to harmful cyber risks. Today, it’s not surprising that cybercrime incidents have skyrocketed, prompting organisations to take necessary precautions to bolster their security.
In late July, the Smart Nation and Digital Government Office reported a sharp 65% increase in government data incidents, from 108 cases in FY2020 to 178 cases in FY2021. This increase mirrors what the private sector sees and what is happening globally, where the exchange and use of sensitive data have become increasingly common. According to the Global Risks Report released by the World Economic Forum this year, it was revealed that 95% of cybersecurity issues could be traced back to human error, which may run the gamut from staff clicking on phishing emails to falling prey to impersonation scams.
Humans are the weakest link
Employers, employees and other relevant stakeholders are inherently responsible for the cyber health of an organisation. “Employees have, and need, access to business-critical information in order to perform their roles and responsibilities,” says Ms Raen Lim, an EXCO member for the Singapore National Co-operative Federation (SNCF), on why staff are the weakest link in an organisation. Ms Lim, also the Group Vice President of San Francisco-based technology company Splunk, adds: “(Staff members) are often targets of malicious attacks.”
Mr Christophe Derdeyn, a partner at IT consultancy delaware Singapore, echoes the same sentiment. He posits that organisations are becoming increasingly vulnerable because the hackers’ tactics are now even more sophisticated. On why employees may have unknowingly fallen prey to cyber attacks, he added: “Employees tend to get careless when they perform manual and mundane tasks repeatedly. They might have mistakenly access a cyberthreat as they prioritise efficiency rather than meticulousness.”
The pandemic did not make it easier for organisations to effectively amp up their defences too. In its 2022 State of Security Report, Splunk—which produces software for searching, monitoring and analysing machine-generated data—revealed that 65% of organisations worldwide have seen a measurable increase in attempted cyber attacks, with 49% of these companies suffering data breach over the past two years. “Some of these cyber attacks may even be attributed to remote working,” Ms Lim says. Employees working from home may have allowed their children access to their work devices for home-based learning, video streaming or gaming, or even sending company information to the wrong parties.
Besides a lack of security awareness, inadequate software security can be another reason employees are particularly vulnerable. Some organisations may use outdated, legacy software just because they are familiar with them, potentially leaving organisations vulnerable to cyber attacks. Technological solutions and software require constant updates to function optimally. Some employees may disable such security updates, thinking it hinders their daily operations, when doing so does more harm than good.
How to overcome risky human errors
To strengthen an organisation’s cyber-resilience, leaders need to understand that digital trust is a currency that fosters growth and innovation. More importantly, they must step up and encourage staff members to upskill themselves with cybersecurity know-how.
So how can you overcome these risky human errors? Both Mr Derdeyn and Ms Lim suggest getting acquainted with some of the human behaviour that may put organisations at risk of cyber threats. Ms Lim adds: “Regular employee engagement and security awareness training are important to create a security mindset amongst the employees and to motivate them to remain vigilant to cyber threats and countermeasures.”
Check out some of these familiar sources of human errors below:
Poor password hygiene
Many cyber attacks use stolen credentials to breach an organisation’s internal network. Employees who practise poor password hygiene are particularly susceptible to these attacks. Ms Lim argues that employees who use weak passwords, reuse passwords, and share passwords with others put organisations at risk. “Unfortunately, these passwords can be hacked within a second, and hence does little to protect the organisation’s systems and data,” she says.
Victims of Social Engineering
Sophisticated and new modes of technology have enabled bad actors to enact more elaborate forms of cyber attacks. For instance, the use of deepfake technology—particularly rampant on social media, this technology can replicate someone’s identity through tools to spread false information—can be employed in social engineering ploys.
“Employees may sometimes find themselves as victims of social engineering,” says Ms Lim. Social engineering in cybersecurity refers to the use of deception to manipulate victims to divulge classified or personal information. One of the common forms of social engineering is email phishing.
How to further improve an organisation’s cyber-resilience
Recognising some familiar sources of human errors may be a step in the right direction, but here’s what you need to know to strengthen the cyber-resilience of your organisation for the long haul.
Advocating for better passport hygiene
Strong passwords can help keep your online accounts and personal information safe. A strong password should always contain a mix of uppercase (ABC) and lowercase (abc) letters, numbers (12345), and some special characters (!?@%$#). According to the Cyber Security Agency of Singapore (CSA), a strong password should comprise at least 12 characters. Organisations can look to incorporate two-factor authentication to add an extra layer of security too. Most importantly, it is equally crucial for you to change your password every three months.
Ensuring checks and balances
Ms Lim suggests organisations should look into having more controls put in place to prevent human errors. She says: “Access to IT systems and information should be based on the principle of least privilege. Controlling the data and access to IT systems by employees can limit the chances of them falling into the wrong hands.” Email security solutions can also be leveraged to filter phishing emails and minimise employees’ exposures.Mr Derdeyn, however, encourages organisations to embrace automation to overcome lapses. He also adds: “It is Important for organisations to conduct regular audits and identify the gaps which are most prone to human errors.”