The Pointy End of Human Error

Last week the Office of the Australian Information Commissioner (OAIC) published their latest Notifiable Data Breaches Quarterly Statistics Report - 1 April to 30 June 2019.

Immediately from this report you'll see that at least a third (34%) of notifiable data breaches were due to human error, but if you dig a little deeper into the causes behind "Malicious or criminal attacks" (62%) this also includes credential theft from phishing, physical theft (and therefore bad security practices) and other human related action or inaction.

Most disturbingly for me though is digging into the human error category and seeing things like "PI sent to wrong recipient (email)" which accounted for 35% of the breaches caused by human error. Even worse, sending PI to a wrong recipient in general (not just by email) extends to 49% of human error - which accounted for 41 notifiable data breaches!

The topic of human fallibility underpins a lot of the modern discourse in cyber security. This has become especially relevant as the science of security awareness has gained enormous popularity. And it's also because after many years of seeing the same bland results, experts are realising that no matter how many security controls you put in front of people, there will always be a margin of error.

While few people might be lucky and never "click on that link" or accidentally send an attachment to the wrong person, the rest of us at some time or other will inevitably do such a thing... some of us, more than others.

Getting human actions to a state where they're free of error is an asymptotic game. All it takes is the right context, the right moment and one slip-up to cause cyber security mayhem. Ask any social engineer about their craft and you'll soon be admitting to yourself that there's really no hope at reducing the margin of human error to absolute zero.

So what's the solution to addressing this pointy end of human error? To illustrate, let's look at some practical solutions around the "PI sent to wrong recipient (email)" raised by the OAIC's latest report.

In my view, firstly there's nothing wrong with continuing to stack as many preventative security controls in front of people that you can - provided that doing so takes into consideration the risk to the business by carefully addressing productivity and efficiency gains or losses.

For the sent to wrong recipient problem, some organisations that I work with are choosing to disable the "Auto-Complete List" in Outlook (the auto-matching feature and drop-down that appears when typing a recipient's name) - this is one example of a simple and effective preventative control that can make a difference.

In addition to preventative controls, being realistic about what happens when human error occurs (not if) is equally as important - by having corrective, detective, and recovery controls in place.

In the case of the sent to wrong recipient problem, doing things like detecting incorrectly addressed e-mail attachments (using advanced DLP scripts), or delaying sending of outbound email giving time for a retraction, are some good examples.

Finally, embracing the notion that the margin of human error will always exist, means you need to be on the ready for a potential data breach with a clean-up crew waiting in the wings, and that means having an incident response plan you can use to coordinate and identify the tasks needed to triage problems when they arise.

Until next time, stay safe out there. And if you like this, please share.