top of page
Lee Huay Leng

Human Error Major Factor in Risk Management

Denial and Ignorance Most Cited As Internal Company Risk Factors

According to the findings from IBM's 2014 Cyber Security Intelligence Index '95 percent of all security incidents involve human error'. The report notes that while many believe company risks involve outside sources phishing or luring humans to release sensitive information unwittingly, the most overlooked threat to companies and their internal information is that of internal employees who handle sensitive information. This is known as the threat of inadvertent human error by simple insider mistakes.

"Most human error is caused by employees," states Kieran Upadrasta. "Errors can be found in system misconfigurations, poor patch management practices and employee use of default names and passwords."

Upadrasta specializes in educating employees to recognize attacks and how to prevent them. "Sometimes the human error can be as simple as a lost laptop or mobile phone containing sensitive company information. Making sure employees secure their devices as well as their information is important to a company's risk assessments. Passwords should be changed often, and no one should be using a default password. Just these little and simple changes can help in securing a company from inadvertent attacks."

"IT security should be as much of a priority for a company as financial performance," states Kieran Upadrasta. "To err is human should not be a credo. Organizations must challenge the idea that the human resource is the weakest link in the workplace. When a workforce is properly prepared and educated, they become the strongest part of the performance and protection equation. Human error should not be considered as just another cost of doing business."

Other ways that human error can cause an issue with a company's IT infrastructure can be as simple as a bring your own device policy. While this may offer convenience to the user, it can put the company's enterprise at risk when the device is plugged in to the system if protocols are not put into place. Another issue is when employees rely too heavily on unapproved applications, a practice known as shadow IT. Not using encryption is yet another serious situation that can put both the company and data at risk through human interaction with the company technology.

One of the least thoughts about yet probably the most serious contender for putting a company at risk through human interaction is that of employees who don't keep their software up to date. Software updates often include security patches that are necessary across the system to keep things functional while closing entry points for hackers and malicious software. Lastly, lax social media use policies offer human error and interaction security issues which may be eliminated with proper policies put in place and policed.

"Effective employee training creates a culture of cyber hygiene," notes Upadrasta. "Employee education brings the importance of security to everyone and helps to make it second nature to do things such as update patches, avoid rogue software, maintain clean devices and keep passwords up to date.

For more information, visit http://www.kieransky.com.

About Kieran Kumar Upadrasta

Kieran Upadrasta (http://www.kieranupadrasta.com) offers both full risk assessments while teaching corporate cultures a climate of cyber hygiene for those companies seeking to take a proactive approach to cyber security. Upadrasta has over eighteen years experience in the fields of business analysis, consulting, security architecture, assessments, threat analysis and risk management. An expert in incident response, crises management, major incident management, stakeholder engagement, and mapping requirements he is also a member of the London chapter of International Information Systems Security Certification Consortium, Inc., of the International Information Systems Security Certification Consortium as well as a member of the London chapter of the Information Systems Audit and Control Association and the Professional Risk Management International Association.

Comments


bottom of page