Having a user-friendly product is desirable and eventually adds up to communicating securely. But when we look at security, what should we keep in...
Anne-Marie Eklund Löwinder: How do we prevent human error?
On Wednesday 9 February, it was finally time for SmartLockr's webinar with IT-security expert Anne-Marie Eklund Löwinder on the human factor in cybersecurity. We can honestly say it was a great success!
Anne-Marie provided interesting insights on secure digital communication and how it is affected by those small mistakes we are all capable of making. Couldn't attend the webinar? Don't speak Swedish? We got you covered! We've summarised the key points for you below.
More communication by email
According to a study by Radicati Group, there were 3.9 billion email accounts in the world by the end of 2019. This amounts to more than half of the world's population which uses email, a number which will rise to 4.2 billion by the end of 2022.
Radicati estimates that a staggering 293.6 billion emails per day have been sent as of 2019. That number will to more than 333 billion, by 2022.
Human error – the biggest cause of data breaches
With so much email traffic, it's no wonder that human error is the biggest cause of data breaches. Nevertheless, Anne-Marie believes that these types of data leaks are not the fault of users.
"Users want to do a good job, and it's easy to get distracted. You might be a bit bored, fiddling at your computer or playing around on your phone while you wait for something.
You're exposed to a constant stream of messages. Via email, via text, via chat, Twitter, Facebook, Instagram, you name it. Then, as you're distracted, you respond to a message. Your guard is down, you then might send off that email with a sensitive piece of information, and you're done."
During the webinar, Anne-Marie mentioned IMY's report on data breaches that occurred in 2020. They, too, name the human factor as the main cause of data breaches. This only underlines the importance of security management within businesses. Technical security measures need to be complemented by ongoing training to increase knowledge and awareness among employees.
It's easier to hack a person than a computer system
It is currently easier to hack a human being than a computer system. Anne-Marie says we are good at protecting technology today. But by manipulating users, an attacker can abuse our natural inclination to trust others, rather than using technical weaknesses to get inside. So Anne-Marie provides us with the following tip:
”Protecting yourself requires a fair degree of suspicion. So the best thing to do is to hit the mental firewall too!”
How do we avoid human error?
When sending secure email, it is important to make use of standards that exist to protect our data. The transmission of email is usually in plain text, and is therefore usually compared to postcards.
However, for several years there has been a standard for transmitting emails with transit protection. This can still be compared to sending postcards, but locking the mail cart during transport. This means that anyone trying to intercept emails on the way between post offices cannot see what is being sent. This is known as STARTTLS, and it is now available on modern mail servers.
DANE is another standard that allows you to publish the certificates used by an email server in the DNS, so that the sending server knows that STARTTLS will work and does not send email unencrypted.
Quick tips to prevent human error
User friendliness minimises the risk of human error. If you set very strict security rules, there is a high risk that users will want to make things easy for themselves.
It's way too easy to think, "Oh, I'll just quickly email this confidential document to my personal email address so I can continue working from home, because our VPN is working so badly." And before you know it, that confidential information has leaked. Our advice: Choose solutions that are easy to use.
”We need to understand that users have more concerns than thinking about security. The easier it is for users to get it right, the better.”
If no one explains why a rule or regulation exists, and what the consequences might be if you break it, it's hard to feel responsible for following it. Instead, you might start cutting corners.
Anne-Marie believes that employers have a responsibility to provide training that is both qualitative and relevant, and to balance their security measures so that they are not overwhelming users. Take secure digital communication: it is incredibly important to, for example, hold a review of email etiquette within the company. Do we hit all reply or don't we? And why are we doing what we are doing?
”Every business should spend twice as much on training as it does on technical measures.”
Awareness and education are naturally intertwined. But in addition to teaching your employees about risks, you can also invest in solutions that work to create awareness and "break down the mental firewall", as Anne-Marie called it.
If you look at SmartLockr, the application works with notifications that alert the user to various risks. Like when sending out an email to someone outside of your organization, when sensitive data is picked up on, and so on.
Additionally, you can block forwarding and the answer all functionalities. Should you wish to have these features turned on, SmartLockr will ask you to confirm your recipients before sending the email. It causes you to pause and reflect: does everything look right?
”I like the kind of notifications where you get a prompt to think twice. That's usually what's needed."
Want to know more about what you need to consider when choosing a secure email solution? Download our free e-book via the button below.