90% of Cyber Attacks are Human Error. Ten tips to prevent insider threats for your business

You are the owner of a financial banking business. An employee at that bank, he graduated from business school, and after a long year, he did land the job. One of his tasks is to receive complaints from customer portal users and fix whatever issue they are calling about.

One day, after getting a call from a particular John Doe, one of the clients at your bank. He is complaining that he lost his login credentials to the portal app and needs to transfer money for rent today. He asked if he could kindly help him. Doing his job, he asks John for his name and address, so he can fix the issue, not knowing he is getting scammed with an elaborate ruse, and the guy on the other end of the phone socially engineered his way into getting the client’s credentials.

One of the most significant security risks organisations encounter is human error, although it may need to be more evident given the insufficient resources allocated for its prevention.

“Verizon’s Data Breaches Investigations Report, back in 2022, declared humans are involved in over 80% of data breaches. It comprises instances where employees directly disclose information (e.g., through misconfigured databases) or unintentionally enable cybercriminals to exploit the organisation’s systems.”

To address this menace, those in positions of authority must comprehend the impact of human error on their organisation and acknowledge the gravity of the associated risk because social engineering is the least of the human error-related breaches. In this article, we will go over; human error, the threats it can cause to a business, incidents that occurred in real life in the financial industry, what we learned from them, and the technology solutions implemented to mitigate this pandemic.

Challenges your business might be facing right now without your knowledge

As for the variety and severity of human-error breaches, the example up top entails social engineering. There are phishing schemes that heavily rely on human error (clicking on a “government” website in your mailbox when the word government with a misspelt URL is generally not a good sign). Cybercriminals craft deceptive emails or messages to trick employees into divulging sensitive information, such as login credentials or financial data. Clicking a malicious link or attachment can lead to data breaches, financial fraud, or ransomware infections.

Some mistakes can lead to mishandling data, accidental data leaks, misconfigured cloud storage, or overlooked access controls, exposing valuable financial information to individuals. These types of human errors highlight the importance of promoting a culture of data security. Providing the proper cyber security training is an investment in the future security of your business.
Despite constant reminders about using strong passwords, employees often opt for the simplicity and convenience of using a short or uncomplicated password and often reuse it for all their credentials, personal or work-related.
This lack of awareness and proper security training leaves employees in the financial industry ill-equipped for the threats that lurk out there. Training your employees in the fitting practices of cyber security measures can save your business. Cybercriminals prey on this knowledge gap to carry out their attacks.
In banking, compromised customer accounts and stolen financial information can erode customer trust and loyalty. Human-related cyber-attacks in the financial industry can be extreme. Businesses must recognise the severity of human error in cybersecurity and acknowledge that staff training is necessary and an investment.

Real-Life Examples of Cyber-attacks Caused by Human Error

The major US real-estate insurer First American Financial, exposed over 880 million real estate transactions and financial and personal records dating back 20 years. The data was visible to everyone, much like the Whatsapp scandal in 2018, through an exploit called “Business Logic Flaw”. The attacker can go around the business web application rules hiding the hack as a valid web request.
In addition to various technical coding and design issues, the breach at First American Financial resulted from inadequate process validation. When an application fails to enforce necessary rules, it becomes vulnerable to attacks. Ensuring you possess the appropriate technical resources to effectively detect and eliminate such vulnerabilities.
In around mid-2019, hackers exposed the banking details of around almost 100 thousand customers of Westpac Australian Bank. The leaked information included personal information such as names, phone numbers, and account details tied to PayID, Enabling quick bank transfers by using a mobile number or an email. The hacker used a brute forcing technique that performed an enumeration function to guess the existing user’s password through the “forgot my password” link.
The lesson learned from this is that the use of 2FA is the main factor in stopping brute-force attacks, and it points to the importance of being prepared for brute-force attacks and proactively implementing adequate security measures to deter these attacks from happening in the future.

2019 was a hefty year for the financial industries. In that year, Someone exposed the personal information of over 4 million Desjardins users in a data breach. The exposed data comprised personal information like home addresses, names, email addresses, and transaction records. Most concerning of all, it also contained Canadian social insurance numbers. And the data breach was confirmed later to have impacted 1.8 million credit card holders who were not Desjardins members. The bank paid $100 million to cover the breach repair bill, with a still pending class-action lawsuit, which could wrack up that bill. This attack’s lesson was an Inside Job, so training and vetting employees is necessary.
The infamous Equifax data breach. In 2017 Sept this breach exposed the social security, names, numbers, birthdates, telephone numbers, and email addresses of approximately 143 million accounts in the US and 400 thousand in the UK. Somebody stole almost 210,000 credit card numbers of customers. Equifax got fined over $700 million. A 6-month-old Apache Struts vulnerability was the cause of the hack. Remote coders gained access to Equifax data via this vulnerability. Lessons learned from this breach was a human error; in this case, using modules with known vulnerabilities is a notably bad idea, and Java web apps are the favourite target of hackers. The damage was severe to the degree that Equifax’s CEO, CIO and CSO resigned in the face of the bad publicity and resulting lawsuits (Now no one wants these results, those lawsuits follow even after resignation).

“A staggering 90% of data breaches in the UK during 2019 resulted from human error, with the majority being unintentional errors rather than intentional attacks. However, it is crucial to prioritise the development of user-friendly systems and establish comprehensive training policies. One effective measure is regularly updating staff members on the latest phishing trends and implementing redundancies in the system that help prevent simple mistakes.”

“A staggering 90% of data breaches in the UK during 2019 resulted from human error, with the majority being unintentional errors rather than intentional attacks. However, it is crucial to prioritise the development of user-friendly systems and establish comprehensive training policies. One effective measure is regularly updating staff members on the latest phishing trends and implementing redundancies in the system that help prevent simple mistakes.”

Understanding the Human Factor in Cybersecurity

It is the art of manipulating people into disclosing confidential information or committing actions that would give access to unauthorised individuals. Attackers use a combination of diverse psychological tactics to exploit employees, such as trust, curiosity, fear, and authority. Phishing emails, tailgating, baiting, and pretexting are social engineering techniques that use human inclinations.

Inherent thinking patterns that could force an individual to make irrational decisions, such as confirmation bias, humans tend to follow information that aligns with their beliefs. Cybercriminals exploit these biases to craft persuasive messages that align with employees’ beliefs, making them more susceptible to falling for scams.

In the financial sector, many employees need to gain the proper cybersecurity training, leaving them unaware of potential threats, and they might act upon those committing a human-error-related breach.

Stress and time pressure can impair decision-making, leading to hasty actions that compromise security. Dealing with tight deadlines and high-pressure situations can make employees make an impulsive decision with a phishing email sent to them to create urgency.

Honest mistakes made by well-meaning employees. For example, an employee might accidentally send sensitive information to the wrong recipient or misconfigured security settings, inadvertently exposing critical data to unauthorised access.

Financial businesses must invest in the proper training and security awareness. Regular training sessions and simulated phishing practices can help raise threat detection and foster a security-aware culture.

Behavioural biometrics and user monitoring can provide valuable insights into user behaviour. Typing speed, mouse movements, and application usage to detect anomalies or signs of potential security threats are all analysed by these solutions.

What technology and what kind of response does your organisation need to have to counter these threats

The NIST cybersecurity framework provides a valuable means to structure and enhance your cybersecurity program. While the 5 NIST functions - Protect, Identify, Detect, Respond, and Recover - align with other prominent security frameworks, they incorporate vital procedures.

The CBEST approach utilises information from reliable government and commercial sources to locate potential attackers who may target a specific financial institution. By simulating the tactics employed by these attackers, CBEST assesses the likelihood of successful penetration through an institution’s defence mechanisms. This process allows companies to identify system vulnerabilities and develop effective corrective measures. It is an intelligence-led testing framework created in mid-June 2013.

We offer this cybersecurity solution at Microminder and implement it to detect any abnormal behavioural patterns within an organisation’s network. It leverages advanced technologies such as statistical analyses, algorithms, and machine learning to identify potential threats efficiently. This solution effectively detects deviations that may indicate security risks by monitoring network activities and comparing them to established baseline operations.
So, what qualifies as abnormal behaviours in a network? You might ask:
The cybersecurity service provider will then disconnect such users from the web if an automated UEBA solution is in place; if a user is used to downloading 30MB of data daily from your bank’s server, suddenly, they are downloading Gigabytes.

Every organisation should conduct regular social engineering penetration tests. Over 80% of businesses suffered data breaches in 2022 (If the statistics mentioned above are insufficient? A quick Google search will give you more than plenty).

This one is plain simple. Your business is safer when an employee logs in, and they can’t access their account unless they enter a digits code or use a passkey to confirm their identity.

What should any banking institution, financial insurer, or financial provider do?

If you want to take the best measures to protect your business, you seek answers and experts to assess your business’s situation. Take action and protect your business today. Get the best of the top cybersecurity firms; you’re here to excel. Get a demo today, so you will not regret it tomorrow.