When you think about a hacker breaking into an important database or gaining access to a critical account, you likely imagine someone writing a snippet of malicious code or using their technical prowess to break through a digital barrier. These types of attacks do exist, and have been responsible for major cybersecurity breaches. For example, brute force attacks rely on trial-and-error to guess a piece of encrypted information, and DDoS attacks use a wide network to take down a website or app with sheer numbers.
However, the vast majority of cyberattacks—as many as 99 percent—rely on some degree of human interaction to work. In other words, they rely on a human being to make a mistake that can be exploited.
Hackers as Opportunists
Why is this the case? Cybercriminals are like anyone else; they don’t want to expend any more effort than necessary. These days, smart businesses employ multiple layers of security to deter cybercriminals, including VPNs, firewalls, and encrypted communications. Breaking through these outer defenses is possible, but extremely time intensive and dependent on a high level of technical skill.
It’s much easier to trick, manipulate, or persuade human beings than it is to break through an unfeeling, infallible digital defense. Accordingly, unskilled cybercriminals see this as their only opportunity to get an opening, and skilled cybercriminals see this as an opportunity to pull off an attack for much less effort. As an analogy, a master lockpicker may be able to get into any car, given enough time, but they’ll still check for unlocked doors first.
The Weak Link in the Chain
The most common targets of cyberattacks aren’t individual people; they’re businesses, especially small businesses (who are the focus of 43 percent of all attacks). This is partially because businesses are more valuable; they tend to have access to more information, and may be willing to pay more to get their systems back online. However, it’s also because businesses have more human beings in their infrastructure.
All it takes is one “weak link” in the chain to cause a catastrophe. A single employee who makes a critical error could be responsible for an entire system going down. As a hacker evaluating targets, a business with 100 employees therefore looks like 100 opportunities to gain entry.
Potential Mistakes
So what types of mistakes do people make? There’s no real limit here, but these are some of the most common culprits:
- Weak passwords. It’s agonizing to learn how common it is for people to have easy-to-guess passwords. Passwords like “123456,” “qwerty,” and of course, “password” are still among the most common passwords in the country, making it possible to hack into someone’s account with no technical skill whatsoever. Humans are also bad at changing or updating their passwords, and using different passwords for different apps and platforms.
- Clicks and downloads. It’s hard to force a piece of malicious software onto someone’s device, but if they voluntarily click a link or initiate a download, that’s a different story. That’s why many cybercriminals resort to sending out mass emails or creating web pages designed to dupe people into clicking or downloading something.
- Compliance. Human beings are also easy to persuade. A brazen cybercriminal can pose as an IT lead, or similar authority figure, and ask for an employee’s credentials outright. You’d be surprised how often this tactic works.
- Hardware mistakes. Employees are generally bad at policing their own security practices when it comes to hardware. One experiment found that among people who picked up a random flash drive or CD in a public parking lot, 60 percent eventually plugged the device into a work computer to see what they contained. In the words of Director of Network Security and privacy Consulting at Computer Sciences Corp, “There’s no device known to mankind that will prevent people from being idiots.”
- Network mistakes. They’re also bad at making sure their networks are secure. Logging onto public Wi-Fi without any additional protective measures could be a veritable death sentence.
The Key Takeaways
So what are the big takeaways here? First, while it’s good to have highly secure, advanced technologies to keep your information safe, there’s only so much these systems can do. If even one of your employees makes a mistake or falls for a scam, someone can break in. Think of it like having 10 state-of-the-art locks on your front door; they won’t matter if someone forgets to lock them, or if they willfully let in a malicious stranger.
Second, having a secure infrastructure involves more than a basic SSL cert for SEO ranking purposes. It means tighter controls and better processes, including employee training–making ever person in an organization an asset rather than a liability when it comes to cybersecurity.
Accordingly, as an individual or an organization, one of your most important cybersecurity measures should be ongoing education and training. The better informed your people are, the less likely they’ll be to fall for a scam (or make a mistake).