The Oft-Forgotten Careless User

It is common knowledge that data security teams must have a proactive plan to prevent breach incidents. With this reality, information security teams target three types of user personas toward their security efforts - the Malicious User, the Compromised User and the Careless User. Amongst these three users, most teams tend to overlook the careless user whereas data shows that actions involving careless users are involved in a majority of data security incidents.


Data Security teams plan proactively against the malicious users by adding appropriate perimeter and internal defenses. Furthermore, for compromised users their focus is in detecting deviations from normal behavior patterns and taking steps to identify and remediate threats due to the compromised user. However, for the third type of user, the careless user, there is insufficient proactive planning and technology in place to protect against the security risk caused by the careless user. Data shows that human error is one of the top reasons for a data breach incident.


There are several reasons why the compromised user or a malicious user receives a lot of attention in most data breach incidents. The human psyche is more sensitive to malicious behavior, the political nature of some incidents puts the spotlight on the malicious and compromised user. Moreover malicious and compromised users makes for better stories in the press, so they get picked up more. Finally there’s the issue of categorization of incidents - according to a recent study by IAPP.ORG, "Unintentional incidents are less likely to be categorized as a data breach incident compared to intentional incidents.”



Due to these factors, the careless user, whose inadvertent actions put the information of an enterprise at risk, doesn’t quite command our attention to the same level. But they should command our attention, especially by the teams that lay the groundwork for an enterprise data security policy.


Fortunately, IT security teams are beginning to acknowledge the case of careless users as a legit threat to enterprise data. In a survey of IT professionals by InfoSecurityEurope, "59% were deeply concerned not primarily about malicious users, but about careless users who unwittingly put their organization’s data at risk.


An enterprise should take measures to monitor and safeguard enterprise data against careless users. However, the problem of a careless user cannot be addressed only with a change in data security and privacy policy. This change needs to be holistic in its approach where resources are put into training people, creating awareness, implementing procedures, and also using technology to mitigate risks associated with a careless user.


Even in simple matters as training users, exciting and novel ways are applied to the compromised user scenario. For example, in October, during the national cybersecurity awareness month, Facebook organizes an annual data security program called Hacktober. During this month-long period, the cybersecurity team at Facebook use gamification - “Trick or Treat” - with the employees to check the preparedness to defend against a data breach incident. This is an exciting way to make employees accustomed to the seemingly dull data security practices. However, the equivalent for careless users is missing in enterprises today, barring the odd notification or email that state good data security hygiene that users must practice.


Today, technology can be a great equalizer in helping enterprises address the problem of careless users. For example, technologies that automate data discovery and remediation when applied to vast quantities of structured and unstructured data can be helpful in identifying risky behaviors by careless users and help to limit the inadvertent sharing of sensitive information.


Innovative technologies coupled with better awareness can drastically reduce data risk caused by careless users. Organizations need to take a proactive stance and address the careless user as a legitimate data security threat, well before a breach incident occurs; not as a reactionary afterthought.


References:

https://iapp.org/news/a/data-indicates-human-error-prevailing-cause-of-breaches-incidents/

https://www.theepochtimes.com/facebook-uses-trick-or-treat-to-test-employees-cybersecurity-savvy_2679110.html