By Jeff Robinson, President & CEO of Tier 3 Technology Solutions

You may have heard this statistic before: According to an Accenture study, 43% of all cyberattacks target small businesses. The explanation is simple enough—small businesses have valuable data and resources worth targeting but often don’t prioritize cybersecurity.

Even more daunting for small business owners? A study by IBM found that 95% of successful cyberattacks are preventable and only occur because of human error.

Now, that is an alarming statistic on paper. It is powerful enough to catch eyes and turn some heads, but what does it actually mean? How exactly does human error aid cyber attackers, and how can a small business take practical, effective steps toward mitigating the impact of human error?

In this article, we will delve into the real-world context behind the scary “ninety-five percent” statistic and lay out some simple steps you can take to drastically boost your cybersecurity efforts.

Defining Human Error

At first glance, this might seem like a no-brainer. “Human error” means that someone messed up, right? Well, yes. Kind of.

Like so many things in life, the concept of human error in cybersecurity is complicated. It is not characterized by black-and-white delineations (a team member either messes up or doesn’t) but exists instead on a spectrum filled with grays and is dependent on context.

That didn’t really make things easier, did it? Let’s look at a couple of examples and gain some clarity.

Dave, who is entirely fictional and therefore fair game to pick on, leaves a company laptop full of sensitive data at a Starbucks. To make matters worse, his password, which he recently changed, is written on a sticky note inside the laptop. That is an obvious case of outright “What were you thinking?” human error. If the wrong person finds that laptop, your business’s entire network is served up on a silver platter.

But in our second example, let’s suppose Dave is cautious with his passwords and mindful of his company equipment. He stops at Starbucks, sends a few emails, packs up his things, and goes on his way. But a few weeks later, a team member in accounting pays a very large (and very fraudulent) invoice. This devastating loss is eventually traced back to Dave’s ten-minute work session at the local Starbucks. How? He did everything right, didn’t he? Unfortunately for Dave, and everyone who works with Dave, he did all the right things while using unsecured public Wi-Fi, which opened the door for a bad actor to gain access to Dave’s machine. Public Wi-Fi networks often lack encryption or use weak encryption protocols. This means that data transmitted over the network, such as login credentials, personal information, or financial data, can be intercepted by an attacker.

While Dave was waiting for his venti caffè latte to cool down, someone was gaining access to his network. Once inside, after familiarizing themselves with the environment, the attacker determined that the easiest and most lucrative attack method was to simply change the account and routing numbers on an invoice from the company’s largest vendor. This example of human error is less egregious than the first, but the results were just as costly. Dave either lacked the proper training on public Wi-Fi networks, or he didn’t heed the training he had received.

This brings us to our third example, where we have Stacey in accounting, Dave’s coworker who green-lit the payment of the fraudulent invoice. It was the same invoice from the same billing representative from the same vendor Stacey deals with every month. She followed protocol and did everything right—except she didn’t notice that the routing and account numbers had been changed. This is an example of human error, and the bank will see it that way, too. It’s also a mistake that any of us could make—and quite easily, at that.

When you compare the first scenario (Dave’s abandoned laptop and clumsy, sticky-note password) to the incredibly sophisticated attack that fooled Stacey, suddenly human error does not look so cut and dry.

While technological advancements will always play a critical role in protecting digital assets, human error hamstrings even the most robust technology and remains a significant contributor to successful cyberattacks. Let’s get into some specifics.

The Role of Human Error in Cyberattacks

Understanding how human error (in all its myriad forms) contributes to cyber threats is essential for businesses as they develop effective mitigation strategies.

Phishing Attacks. Despite advancements in email filtering and security protocols, phishing remains one of the most prevalent forms of cyberattacks. Team members may unknowingly click on malicious links or download harmful attachments, providing cybercriminals access to sensitive data.

Weak Password Practices. Weak passwords and password reuse across multiple accounts create significant security risks. Team members often choose easily guessable passwords or fail to update them regularly, making it easier for hackers to gain unauthorized access to systems and networks.

Unauthorized Access. Team members may inadvertently grant unauthorized individuals access to sensitive information by failing to secure their devices properly or sharing login credentials with unauthorized parties.

Social Engineering. Cybercriminals exploit human psychology through social engineering tactics to manipulate team members into disclosing confidential information or performing actions that compromise cybersecurity defenses.

Practical Steps to Mitigate Human Error in Cybersecurity

While it is impossible to eliminate human error entirely, businesses can take simple and proactive measures to greatly mitigate its impact on their cybersecurity posture.

Team Member Training and Awareness. Implement comprehensive cybersecurity training programs to educate team members about common threats, phishing tactics, and best practices for secure behavior online. Regular awareness campaigns can help reinforce these lessons and keep security top of mind.

Strong Password Policies. Enforce strict password policies that require team members to create complex passwords, enable multifactor authentication (MFA) wherever possible, and regularly update their passwords. Consider implementing password management tools to simplify this process and encourage compliance.

Access Control and Privilege Management. Implement robust access control mechanisms to restrict team member access to sensitive information based on their roles and responsibilities. Regularly review and update user permissions to prevent unauthorized access.

Security Software and Tools. Invest in advanced cybersecurity solutions such as firewalls, antivirus software, and intrusion detection systems to detect and mitigate threats in real-time. Additionally, deploy email filtering solutions to identify and block phishing attempts before they reach team members’ inboxes.

Incident Response Planning. Develop a comprehensive incident response plan outlining procedures for identifying, containing, and mitigating cybersecurity incidents. Conduct regular drills and simulations to test the effectiveness of the plan and ensure team members are prepared to respond effectively in the event of a breach.

Cultivate a Culture of Security. Foster a culture of security within the organization by emphasizing the importance of cybersecurity at all levels. Encourage team members to report suspicious activities promptly and reward proactive security behavior.

And finally, continue to educate yourself on how threat actors exploit human error and implement policies to protect yourself.

In the example we outlined above, in which Stacey fell victim to a convincing invoice fraud attack, Stacey would have benefitted from a simple policy calling for the review and verification of a vendor’s bank info before authorizing payment. She would also have benefited from a policy calling for a second team member to review the transaction before it was approved. Everyone has an off day, and having a second set of eyes to look things over could have saved our fictional company from financial ruin. While this example is fictional for the sake of this article, this scenario is very real. We have seen it occur multiple times and, unfortunately, we will continue to see it.

If you are unsure where to begin when it comes to implementing a more robust set of policies and awareness training, reaching out to a managed security services provider (like Tier 3 Technology—www.gotier.com, a consulting member of the Concrete Foundations Association) is a great first step. Whoever you choose to consult with, remember that a quality MSSP will want to get to know you, your environment, and your goals before rushing to send over a contract. A simple conversation and a cyber risk assessment are strong first steps and can tell you a lot about your cybersecurity posture—even if you choose not to work with an MSSP at all.

Human error remains a significant challenge in cybersecurity. Still, businesses can mitigate its impact through proactive measures and a multilayered approach to defense. By investing in team member training, implementing robust security policies and technologies, and fostering a culture of security awareness, organizations can significantly reduce the risk of cyberattacks caused by human error—and hopefully start chipping away at some of those scary statistics.