Information security and Digital Forensic expert, Benedict Joseph Oluwaseun has steadily identified human error among other factors, as a key contributors to Cybersecurity breaches for several years.
Oluwaseun said recent cyber-attacks such as; the Equifax breach, Uber, and the Capitol One Oil and Gas breach, which saw a ransom payment of 75 bitcoin ($4.4 million worth), could have been avoided if the employees had been equipped with the required skills and knowledge to identify and mitigate an attack.
In other words, 19 out of 20 cyber breaches may not have occurred if human error had been eliminated, he said.
He explained that Stanford University had notified that employee error accounts for about 88% of data breaches. Even more unexpectedly, a study by IBM found that 95% of cybersecurity breaches were caused by human error.
The forensic expert said, though firewalls and other technologies can be the foundation of a company’s cybersecurity program, they cannot guarantee complete protection, as numerous studies demonstrate that human error accounts for many reported breaches, and these typical human mistakes can harm cybersecurity.
He also made a case for Skill-based error, saying, they are minor errors that occur while carrying out a daily task, often due to inattentiveness, tiredness, and distraction
Oluwaseun further stated that Lack of education and awareness amounts to such shortfalls, as employees may only know the risks or how to avoid them if they have received training in cybersecurity best practices.
Analyzing other areas in cyberspace, he noted that Phishing has more than 20% of breaches involved phishing, which the expert said is the most common threat action type, as well as Password management, where weak passwords or storing them incorrectly can make it simple for hackers to access sensitive data.
He went further to explain that Poor network management Systems may become vulnerable to attack if network access and permissions are not correctly managed while Decision-based errors are mistakes brought on by making bad decisions, like downloading malicious software or previous software updates.
According to him, “Cybersecurity affects every sector worldwide, and companies must turn to their staff to augment traditional security solutions.
“In the past, the conventional firewall could stop hackers from coming in from the outside, but nowadays, hackers manipulate employees to circumvent traditional firewalls.
“The way to fight back is to arm employees with knowledge and training and to work with them to build a resilient and knowledgeable human firewall.
“A human firewall is the real-world equivalent of a traditional network firewall.
To create human firewalls, human beings are given the tools to recognize and thwart cyber threats. The human firewall is built on continuous Security Awareness Training, giving everyone the knowledge to stop hackers.
He gave tips on the stoppage of hackers, which are; to develop a security culture with a “Security-First” mindset, saying, security is the concern of every employee from the top – down of the organization, and they should all be included in the security awareness training by developing robust security culture starts with the onboarding of employees.
Oluwaseun went on to inform that Cybersecurity awareness training should be part of new employees’ hiring and onboarding processes, as organizations require employees, who are both business-savvy and capable of defending their company against cyberattacks.
“Employees are less likely to be motivated to learn about threats and how to avoid them if they aren’t aware of why it’s important. However, if they’re aware of a breach’s severe consequences, they’ll be more than willing to actively participate and adopt the security culture.
“Talking openly about vulnerabilities and cybersecurity is another way to develop a strong security culture. Regularly distribute security updates, run phishing tests, engage staff in training, and emphasize team culture. Your human firewall will function better the more people who care, value, and enjoy what they do,” he maintained.
He advised as follows; “Cybersecurity awareness training would serve as robust training that will provide adequate information to employees on how to recognize cyber-attack, such as a phishing email campaign, and take the right actions to mitigate a breach.
“Organisations and staff must stay current on the most recent risks and trends because threats and risks constantly change. Therefore, planning ongoing training sessions for your staff members is crucial rather than just a single event when organizing your security awareness training.
. Security training should be engaging, scenario-based, and ongoing, covering a variety of subjects, including phishing attacks, ransomware attacks, malware, and social engineering.
Other areas he advised on were the test of employees, providing incentives as a reward to dedicated workers, who have delivered excellent performance and have been active during and after training and in addition to salary by rewarding employees to encourage them stick training, as well as support the critical mission, and adopt a security culture.
He therefore, called on employers in the field to introduce security terms to their employees and make the training exercise more enjoyable with the appropriate set of tools for security awareness training such as; a platform that can simulate phishing attacks, binge-worthy video content, and gaming-style activities, give your team security awareness training, and provide compliance tools will motivate your employees to participate more.
“Cybertalk.org claims that when you’re having fun, your brain is 68% busier. Designing a security awareness campaign that includes entertaining, engaging elements makes sense.
“Other essential security tools for an organization include software, network security monitoring tools, encryption tools, antivirus data protection software, and vulnerability scanning tools.
“The most effective way to deliver security awareness training that will stick to and encourage employee commitment to the program and become a part of the security-first culture is through an interactive, informative, and engaging training experience,” he added.
