MANAGING THE HUMAN RISK ELEMENT OF CYBER SECURITY

R&C: What common trends are you seeing when it comes to the human risk element of cyber security? To what extent are breaches often caused by people’s mistakes, rather than system failures?

Walsh: From our experience, a majority of data breaches arise from human error. Often this arises from clicking on links or attachments in phishing or malware emails, complying with requests, such as transfers of funds, that appear to be legitimate but are not, allowing others to use corporate devices or merely sending information to the wrong recipient, among other things. Regularly, however, the human risk element often presents itself as a technology issue, when it is not. For example, a failure of staff to apply software patches and upgrades in accordance with best practice can leave organisations exposed to known vulnerabilities that attackers can exploit. Additionally, re-use of passwords across platforms can expose firms to unauthorised access through credential stuffing, a failure to use strong passwords or multi-factor authentication can leave accounts more easily hacked, and applying poor controls to privileged accounts can allow attackers to circumvent defences more easily. If you attribute those sorts of issues to human error rather than system failure, then I feel you would see a much higher percentage of human risk element to cyber security being reported.

Cissé: In France, in the first CNIL report on personal data breaches published in 2018, human error accounted for 15 percent of data breaches notified to the CNIL. In 2021, although companies are more mature overall on the subject, it would not be surprising if the percentage remains the same or is even higher. Indeed, in recent years, companies seem to have focused their efforts on IT systems security, while not prioritising employee training in the same way. However, often the human risk is the result of employees’ lack of knowledge of the technical and organisational security measures to be followed to ensure the security of data. There is also a proportion of simple, inevitable human error, of course, as nobody can be perfect all the time.

Jul-Sep 2021 Issue

Fieldfisher

HSBC

Linklaters LLP