You can’t fix stupid, according to Texas funnyman Ron White, but stupidity — or at least human error — is a leading cause of security breaches, and its escalating costs are no laughing matter. I recently came across a novel idea for a new metric for business continuity, the Stupidity Index.
‘If most problems are due to human error, the next metric for understanding risk and business impact might just be the stupidity index.’ The unnamed author proposes a model for gauging stupidity, ranging from zero (give training and clear instructions, trust employees to a reasonable level) to five (no communication of objectives, non-existent change management, totally ignoring suggestions for improvement).
The recent Independent Oracle Users Group (IOUG) Enterprise Data Security survey cited human error, at 77%, as the greatest risks, threats, or vulnerabilities to their data. In second place was the fear of inside hacks, cited by 63%, up from 57% in 2010.
The massive IBM/Ponemon economic impact of IT risk survey — 1,069 business continuity specialists and 1,247 IT security practitioners — found that human error is the threat most likely to occur and is the cause of 70% more disruptions than IT professionals anticipate. Larry Ponemon, chairman and founder of the Ponemon Institute, said this is important because the problem isn’t always about “bad guys” stealing company data; he said the “good guys” sometimes make mistakes that result in data loss.
“The most important step to reducing human error is to educate and raise awareness among employees, including part-time workers and contractors,” he said. “The second most important step is to vigorously monitor employees to make sure they follow the rules.”
The economic impacts can be significant: failure at the minor level of downtime lasts an average of 19.7 minutes; moderate and substantial levels last an average of 111.8 and 442.3 minutes, respectively. Looking ahead over the next 24 months, 69% of the respondents said their companies would likely have a minor disruption, while 37% said their businesses would likely have moderate disruption, and 23% indicated a substantial disruption.
With an estimated average cost per minute of $53,210 for a minor disruption, $38,065 for a moderate disruption and $32,229 for a substantial disruption, the estimated average total cost of disruption to business and IT operations over the next 24 months is: $1million for minor disruptions, $4.3 million for moderate disruptions and $14.3 million for substantial disruptions. The study showed the estimated reputation-related cost resulting from disruption to business or IT operations over the next 24 months is: $20,929 for minor disruptions; $468,309 for moderate disruptions; and $5 million for substantial disruptions.
Released at the end of April, the Verizon 2014 Data Breach Investigations Report lumps human error under the innocuous title Miscellaneous Errors. ‘After scrutinizing 16K incidents, we’ve made a startling discovery — people screw up sometimes.’
The use of stolen and/or misused credentials (user name/passwords) continues to be the No. 1 way to gain access to information, states the report. Two out of three breaches exploit weak or stolen passwords.
The report notes that nearly every incident involves some element of human error, but the authors chose to omit errors like loss and not keeping patches current because otherwise ‘this category would be so bloated with “incidents” that it would be difficult to extract useful information.’
The top 10 threat action varieties that were included were: misdelivery (44%); publishing error (22%); disposal error (20%); misconfiguration (6%); malfunction (3%); programming error (3%); gaffe (1%); omission (1%); other (1%); and maintenance error (<1%). Of greater concern, Verizon reports that organizations only discover their own mistakes about one-third of the time. Otherwise, an external entity makes them aware of the incident, and most frequently it’s the organization’s own customers.
Until the mythical lights-out, completely automated data center/business is a reality, doing anything and everything you can to limit and/or respond to the fallout from the Stupidity Index will save you time, money and quite possibly your current employment. Just ask the former Target CIO and CEO; you may not be able to fix stupid but you can certainly fire the people who get blamed for its results.