Unintentional actions are among the most common patterns in Information Security incidents. Miscellaneous errors of employees can directly compromise assets of an organization and lead to data breaches. According to the latest Verizon’s Data Breach Investigations Report (DBIR), misconfiguration (e.g., of servers or firewalls), misdelivery (e.g., of an email to the wrong recipient), and publishing errors (e.g., AWS S3 buckets exposed to the internet) were the top three human errors that led to data breaches in 2021 [1].
Information Security Awareness Trainings are a good start
Awareness trainings and campaigns are a key aspect of reducing the risk of human error. Trainings should follow the following principles to have a lasting effect. Content should:
- Explain WHY Information Security matters,
- Be presented in short “learning nuggets”,
- Be simple,
- Be fun,
- Encourage to talk about information security.
When planning awareness trainings and campaigns, important stakeholders, as well as employees of the target audience, should be included. It is recommended to take enough time for planning, preparing and execution. Information Security awareness cannot be developed overnight. It is an ongoing process that takes years until awareness is lived in an organization’s culture.
An Information Security Culture minimizes Human Error
According to Anna Mempel (Chief Operating Officer of SECURNITE) and Dr. Ulrich Pfeiffer (ADVIA) employee behavior is mainly influenced by the culture of an organization. Culture leads to tasks being done in a certain way; without being written down in an Information Security policy. When Information Security is rooted in an organization’s culture, employees, teams, and management will subconsciously be encouraged to make decisions in accordance with security policies. However, human error can never be ruled out completely. Fortunately, a security culture will lead to a minimization of its impacts; when employees are encouraged to talk about errors rather than to pretend it never happened, the Information Security team gains valuable time in containing possible damage. To have a lasting effect, organizations should align their strategy and introduce Information Security culture step by step [2].
Recommendation
Check if your organization minimizes the risk of human error:
- Is Information Security rooted in your organization’s culture?
- Are work practices, routines, and technologies optimized to reduce the opportunities for human error?
- Are tailored awareness trainings part of the employees daily routine?
Need help shifting to an Information Security culture? Contact us for more information.
Sources