The Risk of Human Error

According to a June posting on corporatesecurityportal.com, 22 percent of enterprises in the past year have experienced a cybersecurity breach and 21 percent have faced mobile device security issues.

By Ara Trembly

The results come from a survey of more than 3,700 information technology professional members of ISACA, a global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security.

In the next 12 months, survey respondents believe data leaks and employee-related issues will top the list of hot-button IT issues most likely to challenge an organization's network security. The threats were ranked by the information technology pros with data leakage (loss or breach) on top at 17 percent; inadvertent employee mistakes second at 16 percent; and incidents related to employees' personal devices, the trend known as Bring Your Own Device (or BYOD) was third at 13 percent. There were more threats mentioned, but let's just focus on the latter two, since they so easily produce No. 1.

Avoid a Legal Black Hole (04/12/13)
Technological Obsolescence (05/01/13)
Part 3: Big Data Masters (04/12/13)
Defending Your Networks (04/12/13)
Excess and Surplus At the Ready (04/12/13)

Employees make mistakes, that's not news; human error has been a focus of risk management ever since Adam and Eve made an unfortunate dinner choice. What is new, however, is the notion that these errors within our organizations may have effects far beyond what we imagine. In fact, if an error results in unauthorized parties (read criminals) gaining access to our systems, the effect may be catastrophic.

The impact of the mistake will depend in many cases on the responsibility level of the employee making them. Some mistakes will be trivial and even amusing, but others -- such as pushing the wrong button on a major stock trade -- could cost plenty. For example, a Reuters article also dated June 29, notes that a programming error on a massive trade by a broker-dealer nearly caused a "disastrous" set of events at NYSE market close that could have cost millions, but was caught by a person overseeing end-of-day trading.

Things like this are bound to happen. Note, however, that it took a human being -- not a highly sophisticated computer program -- to catch the NYSE error. I'm all in favor of programs that keep watch for possible mistakes, but they obviously either weren't in place or weren't functioning in this case.

As the story notes, the near-event illustrates the difference in market structure between a fully electronic exchange and the Big Board, which has a hybrid system where the open and close are monitored by flesh and blood "Designated Market Makers" (DMMs).

Errors of disastrous proportion, however, are not limited to the financial realm.Insurers and brokers daily handle confidential information that, if leaked, could cause major problems. Just the address and phone number of a prominent person, for example, could be worth a fortune.

The point is that information itself is becoming increasingly valuable, and that means we have to be much more vigilant about protecting such information. Tighter security is an obvious strategy, and maybe BYOD is not such a hot idea.

Small leaks in our corporate security walls can become destructive torrents before we know it, and we might not be able to plug them unless we dedicate human resources -- as well as technological resources -- to keeping critical information safe.

The clear lesson from the Big Board: Don't count on technology alone to save the day when the inevitable human error crops up.

ARA TREMBLY, a long-time technology writer, is founder of the consulting company Ara Trembly, The Tech Consultant. He can be reached at www.riskletters@lrp.com.

August 22, 2012

Newsletter Sign-up