Why are so many data breaches caused human error?

Why are so many data breaches caused human error?

The sad truth is history is filled with data breaches that were caused by human error.

A joint study by Stanford and Tessian reported that employee mistakes cause 88 percent of data breach incidents.

According to an IBM Security study, that number is closer to 95 percent.

And all of this is despite organizations significantly increasing their security budgets over the last ten years.

With the increasing number of breaches stemming from human error, it’s clear that our current approach to security isn’t working.

There has to be a better way.

That’s what we’re going to cover below. You’ll learn about common types of human error that cause data breaches, as well as the best ways to prevent them from happening in your organization.

Table of contents:

What is human error in cybersecurity?

Human error (in the context of cybersecurity) refers to unintentional actions or lack of actions by employees or individuals that lead to a security breach or failure in a computer system.

This is a pretty wide definition and encompasses a large number of actions.

Human error can be anything from running a malware-infected attachment to failing to apply security patches on production servers.

Perhaps this helps explain why it’s a difficult problem to solve.

Based on data from the Psychology of Human Error 2022 report, the following reasons were given why the human error was made:

Reasons behind human errors that lead to a data breach

Types of human error

Despite the infinite number of ways humans make mistakes, most can be categorized into skills-based and decision-based errors.

Understanding how each type of error occurs is crucial to understanding how they can be prevented.

Skills-based errors

These errors are typically associated with the execution of a task and are often due to a lack of technical skills required for a specific task.

They are more about “how” a task is performed.

For example, a skill-based error might involve incorrectly configuring a firewall or forgetting to enable a security setting on a server.

These errors tend to happen when performing familiar tasks and often occur when an individual performs a task automatically without much conscious thought, leading to the slip.

Decision-based errors

These errors are related to decisions made, often under conditions of uncertainty or lack of information.

They are about the “why” or “what” of an action.

An example of a decision-based error could be clicking on a suspicious link in a phishing scam, mistaking it for a legitimate email, or marking an endpoint security alert as a false positive due to underestimating or misunderstanding the full consequences of the alert.

These errors are usually the result of an incorrect assessment of a situation, leading to a poor decision.

RECOMMENDED READING: 7 Most Common Types of Data Breaches

Examples of human error

When it comes to cybersecurity defense, humans are often the weakest link.

While breaches can occur in many forms, here are ten common examples of human error:

  1. Weak password creation: Using simple or common passwords that are easy for attackers to guess
  2. Password reuse: Using the same password across multiple accounts increases vulnerability if one account is compromised
  3. Social Engineering / Phishing: Tricking users into providing sensitive information or performing sensitive actions
  4. Misdeliver of information: Sending sensitive information to the wrong person via email or other channels
  5. Unsecured devices: Using unsecured personal devices for work or leaving devices unattended can lead to unauthorized access or loss of sensitive data.
  6. Missing security patches: Failing to apply software updates, leaving systems vulnerable to known security exploits.
  7. Misconfigured security settings: Incorrectly configuring security settings in software or in networks can create vulnerabilities that attackers can exploit.
  8. Improper Handling of Sensitive Data: Mishandling sensitive data, like leaving printed documents in public spaces or failing to properly encrypt data before transmitting it.
  9. Unauthorized Application Installation: Installing unauthorized software that may contain malware or vulnerabilities.
  10. Insufficient backups: Failing to regularly backup critical data can lead to significant losses in a cyber attack or in the event of data corruption.

Reasons emails get sent to the wrong recipient leading to a data breach

(Based on data from the Psychology of Human Error 2022 Report)

Factors that cause human error

The main factors that contribute to or cause human error can be split up into three categories: opportunity, environment, and lack of training.


Unlike computers, people are fallible. No amount of training can guarantee that humans will make the right decision over time.

Over time, employees tend to become complacent, especially when performing routine tasks, leading to a lack of attention to detail.

The more opportunities we give people to make security decisions, the higher the chances that, at some point, they will make the wrong one.


There are many environmental factors that increase the chances of human error.

Here’s a list of the common ones:

  • Physical factors like poor lighting, noise, and temperature affect concentration and lead to errors
  • Overly complex processes invite employees to skip steps
  • High workload and tight deadlines cause stress and fatigue, leading to errors
  • Ineffective communication leads to misunderstandings and mistakes
  • Insufficient resources, e.g., being understaffed or missing tools, can lead to errors
  • An employee’s physical and mental health impacts their ability to perform tasks accurately
  • Inadequate policies & procedures leave staff without clear guidelines on the correct actions to take
  • Unmotivated employees tend to pay less attention to detail, increasing the likelihood of mistakes.

Lack of training

The likelihood of a mistake being made increases when staff aren’t aware of the risks or haven’t been adequately trained on what to do.

For example, employees who don’t recognize phishing attacks are far more likely to fall for them.

It’s important to note the lack of awareness is rarely the employee’s fault.

Organizations need to periodically offer employees training based on their specific roles as well as the unique cybersecurity threats the company faces.

The training should focus heavily on hands-on exercises and simulations to help drive home theoretical concepts.

How to prevent data breaches caused human error

A combination of opportunity, environment, and lack of training often causes human errors.

If we can eliminate the opportunity for human error, we’ll drastically reduce the number of mistakes made.

At the same time, employees will only make the right decisions if they know the risks and the proper action to take given a particular situation.

We can drastically reduce our risk by implementing a multi-faceted approach targeting the opportunity, environment, and proper training.

RECOMMENDED READING: What A Company Should Do Ater a Data Breach

Reduce the opportunity

Implement technical controls that prevent people from making bad security decisions.

The specific technical controls are highly dependent on the environment, but here are some common controls that should be put in place:

  • Access controls: Use role-based access controls (RBAC) to ensure employees only have access to the data and systems necessary for their roles.
  • Segment the network: Divide your network into segments to make it harder for an attacker to move laterally across the entire network and access sensitive information
  • Enforce strong authentication: Implement multi-factor authentication (MFA) to ensure only authorized users can access sensitive data and systems. In addition, mandate the use of a password manager to generate and store passwords throughout the organization.
  • Encryption: Encrypt sensitive data both at rest and in transit.
  • Maintain an accurate asset inventory: Ensure you have a complete and updated list of all assets associated with your organization. You can’t patch what you don’t know exists.
  • Regular Software Updates: Keep all systems and software up-to-date with the latest security patches.
  • Endpoint Protection: Secure all endpoints (e.g., computers, mobile devices) that access the company network with appropriate security measures to prevent unauthorized access and data leakage.
  • Secure Configuration Management: Ensure that all systems are securely configured and regularly audited for compliance with security policies and standards.
  • Dark web monitoring: Continuously monitor the dark web for leaked employee or customer credentials and session tokens. Cyber criminals often use stolen credentials to gain initial access to their targets in ransomware attacks.

Improve the environment

There are several ways to create an environment conducive to productive work.

Providing adequate lighting, maintaining a comfortable temperature, ergonomic workstations, and reducing excessive noise can help improve your employees’ ability to focus and make sound decisions.

Designing office layouts that minimize interruptions and distractions is crucial. For instance, having designated quiet areas or private spaces can help employees who handle sensitive tasks concentrate better.

Monitoring and regulating your employee’s workload is also essential to prevent fatigue and stress.

Allowing for flexible scheduling and encouraging regular breaks can help mitigate the effects of long hours and high-pressure situations, which are often precursors to human errors.

Finally, providing employees with the right tools can significantly reduce the frustration and errors caused by trying to get a job done with the wrong toolset.

Increase employee awareness with training

After reducing the opportunity for errors and creating an optimal work environment, we need to focus on education.

Enable employees to make better decisions by training them on security basics and best practices.

People have limited attention spans thus training has to be highly engaging and relevant to their roles.

Interactive training that gamifies the content and has a strong hands-on element can increase engagement and make learning more effective.

It’s important to note that training needs to be an ongoing process rather than a one-time event.

Regular testing can evaluate the training’s effectiveness. For example, simulated phishing exercises can identify areas needing more focus in future training.

Closing thoughts

When it comes to defending your network, Humans can be the strongest link.

While studies show that 95% of cybersecurity breaches are caused by human error, they also highlight a clear path to reducing those breaches.

The key lies not just in increasing security budgets to purchase more hardware but also in using part of that budget to address the human element as well.

The combined approach of introducing technical controls, improving the overall work environment, and continuous, gamified training can create a strong security culture.

This approach not only improves the company’s overall security posture but also empowers employees to act as proactive defenders against cyber threats.

Ultimately, our goal is to transform employees from being the weakest link in cybersecurity to our strongest asset.

Related Articles