It’s no secret that people are the biggest threats to themselves when it comes to cybersecurity. Stanford University states that 88% of data breaches are “coming from inside the house” — i.e., attributable to user error. Per IBM, user error is the main cause of 95% of cybersecurity breaches. If we ourselves are responsible for so many breaches, how can organizations best mitigate those errors in cybersecurity?
The uncomfortable truth is that they can’t. It’s not possible. As long as there have been people, there have been mistakes and missteps. This continues to be true in the modern world. No amount of process optimizations or AI tools could change this.
Organizations are best positioned when they accept that user mistakes in cybersecurity are inevitable. It is the responsibility of the organization to put mitigation systems in place that account for this fact and have their platforms be properly protected.
This looks less like “make sure you have a complicated password” and more so “let’s make it that if somebody got your password, nothing bad would come of it”. Let’s explain by examining how the most common cyber attacks happen.
Credential stuffing happens when bad actors test a long sequence of stolen usernames and passwords into website login forms. They use malicious bots to check thousands of combinations before finally finding one that is successful. Most commonly, bad actors get these stolen usernames and password lists through data breaches.
So, you may wonder: why not just monitor data breaches to ensure that credential stuffing gets stopped before it can even begin? This is where the user error element comes into play. The reality is that 65% of people reuse their passwords. So, when one data breach happens, it’s not just one website that’s now accessible to bad actors — it reverberates to every single website in the digital ecosystem where a password is being reused.
When successful, credential stuffing leads to another even bigger problem: account takeover.
When fraudsters successfully gain access to victims' online accounts, it’s called account takeover. Once access to an account is gained, bad actors can lock the rightful owner out of their account permanently. They are then free to conduct fraud however they please, whether it’s making purchases, impersonating the victim, depleting gift cards, redeeming (or transferring) loyalty points, and more.
Credential stuffing is not the only way to complete an account takeover. Sometimes, bad actors are able to fraudulently gain access to an account by simply guessing weak passwords (brute force). Account takeover could also happen as a result of a successful phishing attempt or through malware installation.
Unfortunately, account takeover isn’t the worst thing that can happen. Account takeover opens the door for bad actors to do something even more nefarious: account fraud.
Account fraud occurs when a cybercriminal creates new accounts on digital platforms with fraudulent intent. This could be anything from bank accounts, online dating profiles, social media accounts, etc.
Account fraud requires cyber criminals to use stolen information to create accounts. They use stolen credentials like name, address, driver's license number, Social Security numbers — any type of Personal Identifiable Information (PII). These details are mined through phishing attacks or social engineering that rely on psychological tricks to fool their targets.
Although this is an area where education can help prevent attacks, even the most tech-savvy among us are susceptible to single lapses in judgment. All it takes is one singular event to compromise the integrity of an unprepared organization’s data.
User error, whether intended or unintended, poses a significant threat to data confidentiality. Fraudsters can trick employees or partners into giving out sensitive information or downloading malware on their systems. This malware can be used to access an organization's sensitive data, which can then be shared with bad actors and used for sabotage.
Data breaches result in significant financial losses for businesses. Organizations may have to pay hefty fines to regulatory bodies. Parties affected by the breach can also sue organizations for the failure to protect their sensitive data.
According to a study by Cisco, 53% of cyber attacks end up costing the victim organization more than $500,000 in recovery and mitigation costs.
Beyond financial impacts, cyber attacks erode customer trust and damage an organization's reputation and credibility. Negative publicity may dissuade potential customers and encourage existing ones to jump ship (ideally to a more secure vessel).
Stakeholders and partners might also be hesitant to collaborate with a brand for fear that their sensitive data may not be properly safeguarded. If your platform is vulnerable your reputation is in jeopardy.
As stated, it’s impossible to totally eliminate user error in cybersecurity — nor is it the onus of the user. It is the responsibility of the organization to safeguard themselves against cyber threats. The same imperfections that make people wonderfully creative, unique, and unpredictable are the same ones that make us naturally imperfect and prone to errors.
That being said, companies do themselves a favor when they understand how user errors happen and put mitigations in place. Being proactive in your approach saves you from having to be reactive later on.
The principle of least privilege limits the access staff and partners have to the resources they need to do their jobs. By granting users the minimum permission they need to perform their tasks, it limits the attack surface making the access points for exploit for attackers fewer. This strategy limits cyber attackers' ability to move laterally within your system or access sensitive data. It also limits the possibility for attackers to launch widespread attacks.
Investing in cybercrime protection as a service adds an additional layer of security between fraudsters and your customer and employee base. Ideally, this solution should effectively work to stop automated and user-initiated attacks and all of the implications that follow, including fake account creation and fraudulent transactions. Frictionless services run in the background, providing minimal disruption to the customer journey.
While education can be an important part of ensuring that your customer base understands how to best protect themselves, it shouldn’t be the first order of business. The responsibility fall to the organization to invest in proactive safeguards and should not be only on individual users.
In summation, it’s impossible to eliminate the risk of user errors. However, businesses can mitigate these risks by investing in proactive software solutions that protect users at every stage of the customer journey. HUMAN’s security solutions work together in the background to detect, neutralize, and remediate fraudulent attacks and keep customer data safe.
For example, with the Compromised Account solution, it’s possible to remediate accounts that have been a victim of data breach before they become a victim of ATOs. The Account Takeover Defense solution stops unfaithfully-obtained credentials from getting past the login phase in the first place. Request a demo today to discover how the HUMAN solutions can work for you.