The Last Lines of Cyber Defense

When it comes to cybersecurity, the weakest link is almost always humans. Whether you’re attacked on your home network, or your company encounters a serious security breach, 19 out of 20 successful attacks come down to easily preventable human error.

What is human error?

Human error in the context of security can mean either unintentional action, or lack of action. Proper training and constant reminders of best practices is vital to preventing most cyberattacks and protecting networks, systems and databases.

Types of human error include skill-based errors and decision-based errors. You can defend against both with proper habit-forming and continual refresher training on reducing cybersecurity risks.

A skills-based error happens when you are performing a familiar task, but make a small mistake. This can be due to overtiredness, being on “autopilot,” forgetting a step in a series of steps or being distracted by other things going on around you.

A decision-based error happens when you don’t have all the information to make the best decision, you’re in an unfamiliar scenario, someone tricks you into giving them information or you fail to take an action because of indecision.

Preventing errors is less complicated and less expensive than trying to manage the fallout from a security breach. Whether you are at home or at work, you can implement safety protocols to help minimize risk and reduce the possibility of errors allowing unauthorized access to systems, accounts and data.

Defend your devices

Ensure that you have high-quality antivirus and antimalware programs installed and running. Enable automatic software updates, and check your system regularly for notifications about new security patches and bug fixes. Review logs as well to familiarize yourself with any breach attempts.

Use best practices with passwords and network access. A password manager can make it easier to protect your logins without having to remember multiple long strings of alphanumeric characters.

Safeguard your identity

Regularly check your bank account statements, credit card statements and credit reports to see if unidentified charges or changes have been made or new accounts have been opened in your name. Early identification of identity theft and quick action can help protect your finances and your credit.

If you find transactions you didn’t initiate or information you didn’t generate, act swiftly to change passwords, cancel credit cards and begin the identity recovery process. Being proactive can prevent the most damaging effects of ID theft.

Protect your accounts

Two-factor authentication (2FA), multi-factor authentication or authenticator app use will stop almost all automated attacks. 2FA involves a second step to the login process, typically with the generation of a six- to eight-digit code.

You can configure services to send a SMS to your mobile phone (which requires a data connection) or use an authenticator app that works on your device whether you’re connected to the internet or not. Codes or tokens are designed to be used only once, and expire after a certain number of minutes.

Social engineering

Nearly a third of all security breaches involve social engineering and were made possible by human error. The goal of social engineering is to make you freely hand over sensitive data like account numbers or passwords by misdirecting you or posing as a trusted person or organization. This practice is called “phishing.”

Warning signs of a phishing attempt

The most common form of social engineering is called phishing. Phishing seeks to trick you into divulging usernames or passwords by sending you authentic-looking emails or diverting you to authentic-looking websites, then asking you to enter sensitive information like a username, password or account number. Phishing can be aimed at consumers one-on-one, or at companies by targeting employees. The following red flags can alert you to a phishing attempt.

Unsecure websites

Look at web addresses when you visit sites on the web. The web URL should always start with “https,” not simply “http.” The “s” signifies that the site is secured and that information you may enter is encrypted. If you are given a web link without the “s” in the URL, don’t click on or type it in your browser.

Unusual email addresses

Look closely at email addresses; often, a phishing attack will have set up a domain with a misspelled version of a legitimate company, such as “Amazzon.” If the email purports to be from a company, offering to reset your password, don’t click on a link or button or enter any data without confirming the sender.

Suspicious hyperlinks

Links in emails should always be suspect. This is especially true if you can hover over the link and don’t get matching information from the URL, or if the hyperlink is shortened with a service like bit.ly.

Unsolicited attachments

As with links, attachments in unsolicited emails should always be suspect. Unless you can confirm with the sender, assume these are attempts to introduce malware onto your computer.

Generic or error-ridden text

Emails that appear to be from a legitimate organization, but which start with “Dear sir or madam” or which end without a company signature should be viewed with suspicion. So should emails with gross grammatical errors and misspellings.

Ransomware

Phishing is an even more serious risk in the workplace. If access to a system is granted, all of your company’s data can be held hostage. At this point, hackers may ask for a ransom to be paid before they will release your company data. Be aware that paying the ransom doesn’t guarantee you’ll get your data back, and that every ransom paid encourages hackers to commit more cybercrime.