Cybersecurity news often involves sophisticated, highly structured hacking gangs and shady dark web marketplaces, not human error. However, seemingly simple mistakes threaten organizations worldwide and are, in fact, one of the most common causes of breaches and data exposures.
Recent revelations regarding security incidents deemed to have been exclusively caused by malicious actors show that human error is a more significant cybersecurity hurdle than most realize. Moreover, they reveal that even when a human error has been found to have significantly contributed to a breach with national security implications, that particular detail tends not to travel as far in our current media environment.
What is human error?
Put plainly; human error is a mistake made by a person as opposed to a machine or application’s malfunction, bug or glitch. In the realm of cybersecurity, human error can result from the following:
A basic lack of cybersecurity awareness
Education is key when it comes to keeping cybersecurity tight. An employee monitoring incoming emails or messaging may seem like an unlikely target for criminals. Still, these workers are on the front lines regarding email or SMS-based phishing attacks and social engineering campaigns.
An individual without the knowledge needed to spot a fraudulent email can unwittingly hand the network’s keys over to a criminal by clicking a malicious link or being manipulated into providing sensitive information over the phone.
With AI and deepfake technology maturing rapidly, it’s more important than ever to establish protocols that can be relied upon to verify that the source of a request or message is legitimate and safe.
Weak passwords
Weak passwords are common among organizations, accounts, and users. Criminals can employ tools that make password cracking easy on login credentials containing predictable patterns or insufficient random characters.
Multifactor identification can help defend against fraudulent login attempts, but even this obstacle can be manipulated or worked around by savvy hackers.
Outdated software
Failing to keep apps, firmware, and operating systems updated about patches and security fixes is a common error that threat actors quickly pounce on. When news of an exploitable vulnerability hits, hackers immediately run scans to seek out users who are slow on the draw or still use legacy components with exploitable flaws.
Misconfigurations
Misconfigurations are commonly cited as a reason for a data breach or exposure. Typically, these errors result from someone failing to implement the correct security settings, if any, to a trove of information. For example, a server containing customer billing data that does not require a password to view is low-hanging fruit for cybercriminals.
A misconfiguration of this nature can occur upon the initial creation of the database or later on if someone makes a change that fails to maintain a previously adequate level of security.
Recent examples of human error
Oldsmar, Florida water supply attack
In February of 2021, the cybersecurity world was rocked by the news that someone attempted to poison the citizens of Oldsmar, Florida, by tampering with the city’s water treatment system.
According to Oldsmar law enforcement, “someone remotely accessed a computer for the city’s water treatment system and briefly increased the amount of sodium hydroxide, also known as lye, by a factor of more than 100.”
The incident carried great weight, and news of the brazen attack spread globally, serving as a cautionary reminder that critical infrastructure components are high-priority targets for criminals who intend to harm. It also sheds light on the importance of updating these systems to keep pace with the prevalence and sophistication of today’s hackers.
However, the results of the following investigation paint a very different picture.
On March 20th of 2023, former Oldsmar City Manager Al Braithwaite stated that “the FBI concluded there was nothing, no evidence of any access from the outside” and that the activity was likely an accident made by “the same employee who was purported to be a hero for catching it… banging on his keyboard.”
To his credit, Braithwaite categorized the happening as a “non-event” as soon as it took place. Still, law enforcement and the media seemingly couldn’t resist the implications of such a frightening attack on a public utility.
While it could be argued that the spotlight this misclassification put on critical infrastructure was beneficial regardless of whether or not the reporting at the time was completely accurate, highlighting the critical nature of human error in this space is just as important, albeit not as exciting.
News of this update to the event has not been circulating as rapidly.
The breach of D.C. Health Link
In March of 2023, personal health information belonging to members of U.S. Congress and their dependents was accessed by an unauthorized person, exfiltrated, and posted for sale on a dark web forum by a user called “IntelBroker.” D.C. administered the data. Health Link, “a public-private healthcare exchange program for Washington, D.C., residents.”
Momentarily, it was believed that the attack involved significant hacking.
However, it wasn’t long before it was revealed that an outsider accessed the data through a server that was “misconfigured to allow access to the reports on the server without proper authentication,” according to Mila Kofman, Executive Director of the District of Columbia Health Benefit Exchange Authority. “Based on our investigation to date, we believe the misconfiguration was not intentional but a human mistake.”
The criminals supposedly responsible seem to agree. While IntelBroker was banned following their post, an affiliated user called “Denfur” said that the information was stolen via an “open, exposed database” that did not ask for any verification to access. Denfur also claimed that “the database was most likely exposed for over a year and a half before the breach occurred.”
The error will prove to be costly for D.C. Health Link, as lawsuits mount against the organization in response to its irresponsibility.
How to limit human error
The most effective ways to lessen the impact of human error mostly have to do with limiting the possibility of it happening in the first place:
Enforce comprehensive training programs. Employees should receive regular, mandatory training on cybersecurity best practices to identify potential threats and respond to them accordingly.
Maintain strong password requirements. Make sure that workers adhere to passwords that aren’t overly simplistic. Multifactor authentication should be implemented whenever possible.
Keep software up to date. Don’t allow apps and operating systems to fall behind on their updates. Configure them to update automatically to ensure programs remain current and don’t slip through the cracks.
Make security a priority. Create a culture in which security is prioritized and openly discussed. The more cybersecurity awareness an organization encourages among its workforce, the less likely mistakes will be made.
