Today, we’re seeing associations gather more and more data for their organization and members. And as many are moving to a cloud-based platform to house this data, we need to make sure we know how to manage and protect our data. You should already have discussions with your third-party data application vendors and have a risk-management plan in place if a breach were to happen, but what about your staff?
According to an IBM study, 95% of all data breaches are a result of human error, so if we can eliminate human error completely then 19 out of 20 cyber breaches may not happen at all. We’re all human, so mistakes are going to happen. It’s how we grow and learn, however, often those mistakes are too often overlooked.
Human error incidents can happen both at home or in the office and can be skill-based or decision-based. Skill-based errors are those small mistakes that occur during routine tasks – the employee knows how to proceed with the mistake but fails to do so because of a slip. Decision-based errors are when employees are purposely making errors in their task because they do not have enough information or can be out of malice. Both types can occur because of tiredness, distractions, or lack of awareness, and can include the following errors:
- Passwords: Using weak passwords or storing passwords in unreliable places including a sticky note, Google sheets, text messages, on a desk or around the house.
- Sensitive data: Improper handling of sensitive data including accidentally deleting files, sending this data to the wrong recipient, not backing up this data.
- Software: Using outdated or unauthorized software. This includes ignoring software updates and downloading compromised software.
- Email: Opening email links and attachments without paying attention or thoroughly reading through the email, email sender address, recipient address, etc.
- Wi-Fi: Using a public Wi-Fi connection without using a VPN or plugging in insecure devices like a USB storage device not given by an employer.
If this wasn’t enough, knowing that the threat of cyber-criminals is there can affect a person’s decision-making. In fact, social engineering has become a high-level type of security breach, as it’s used to exploit human weakness. This often involves manipulating individuals into breaking normal security procedures and best practices to gain access to systems, networks, physical locations, financials, and more. For example, your association could receive a – what looks to be legit – email from a sponsor with updated payment information in a PDF attachment. Knowing the familiar sponsor’s name, an employee opens the file which has now been seen as false and can corrupt the system. Simple enough, right?
Human error can only occur where there is the opportunity to do so, so it’s essential to eliminate all those opportunities and come up with a plan of defense.
Reduce the opportunity: This can include privilege control and password management. Privilege control guarantees that your employees only have access to the data that’s necessary for their job responsibilities. This reduces the amount of information that’s exposed. For password management it’s key to distance your employees from passwords to help reduce risk. Password manager applications have been popular because they can create and store passwords without the employee having to remember them (i.e. writing them on a post-it). The use of two-factor authentication across your association to add an extra layer of protection to all accounts is also a good route to take.
Change the culture: Having a security-minded culture in your association will help mitigate any risk that’s brewing. The first thing to do is to encourage discussion because the more it gets people talking and is at the forefront of the discussions, the more your employees will understand the risks and know what they can do to help reduce risk. These discussions will be a consistent learning process, as your employees will stumble onto questions as they do their day-to-day tasks. Make it easy for your employees to come leadership and ask questions. Ensure that there’s always someone available to answer anything that may arise. Lastly, create tips, brochures, posters, or any reminder to help ensure that your employees are thinking of security throughout the workday.
Offer the training: Educating your employees on security basics and best practices allows them to become better decision-makers, all while allowing them to keep security of essential data top of mind. This training should not come on a yearly basis, but regularly throughout the year so that it’s brief and easily digestible.
Test for preparation: Nothing says you can’t test your employees with social engineering. Create a fake email address and send a file or link via email. See who clicks on the information and you’ll know the statistic of how educated your staff is on security risks, and how to move forward.
You hired your staff to help build your association and make it stronger, not to make it weaker. By taking even the smallest step towards reducing human error and having the right policies and tools in place, you can protect your association from hackers and cybercriminals, all while reducing human error from social engineering tactics.
