Human error in cybersecurity breaches

More than 90 percent of all cybersecurity breaches are caused by human error! This is the stark reality according to countless studies done by several technology and security companies and organizations. Yet it was seldom, if not never, discussed in the cybersecurity events I attended in the last three years.

Data and cybersecurity breach cases usually highlight the hackers—those “black hats” who break into computer systems and networks of corporations, governments, and organizations to steal or expose data, or cause problems. Most commonly cited is Anonymous, a loosely associated group of hackers from all over the world, which has been operating since 2006 and is reportedly responsible for hacking the Commission on Elections (COMELEC) website to force them to add security to vote count machines (VCMs).

Technology and security vendors, on the other hand, highlight the lack of security tools, appliances, and software by organizations as the risk factor in data breaches. But vendor saturation is one of the biggest challenges currently plaguing the cybersecurity market, to the point that organisations are surrounded by too much noise to truly understand what they actually need to protect their business. This is according to system engineer security for Cisco Systems in the US, Ronny Guillaume.

Regulators from all over the world have formulated laws and policies to guide organizations in strengthening their data privacy practices and compliance. In the Philippines, RA 10173 (or the Data Privacy Act of 2012) was signed August 15, 2012 and became effective September 8 of the same year. It stipulates that organizations employing 250 people or handling more than 1,000 customers in their database should register their compliance with the National Privacy Commission.

Notwithstanding the cybersecurity technology and regulatory measures that supposedly buttress organizations, data breaches coming from weaknesses or the lack of these only account for 10 percent. Many of the security breaches are caused by ignorant, careless, or disgruntled employees who deliberately expose data—all behavioral in nature.

There are numerous published accounts of data security breaches. One case was described by, thus: “In late July, an email prankster in the UK ‘convinced’ a White House official into believing that he was Donald Trump’s son-in-law Jared Kushner. As if that was not enough, the official—who was tasked with cybersecurity—agreed to share his personal email identity with the trickster.”

Another example: “A not-so-tech-savvy employee of the Union Bank of India clicked on an email attachment just a year back, which unleashed a malware on the bank’s computer servers that siphoned off $171 million from the bank. Fortunately, the bank was able to recover the money.”

Policies, penalties, training and change management can only do so much to change the behavior of organization members. There needs to be a new-age organization development approach that plans and implements systematic change in attitudes, beliefs and values of the employees to make sure they are aware, conscious and deliberate with their actions as regards protecting company data and upholding cybersecurity. It should encompass structured activities such as enablement of adoption and behavior change on a broad scale, and promotion of good practices that reinforce the new behavior. It employs “intervention” techniques through structured activities,” such as experiential exercises, questionnaires, attitude surveys, relevant group discussions and others.

The behavioral aspect of cybersecurity, alongside technology and regulatory, will be discussed in the forthcoming event organized by Global Chamber Manila, PiliPINASCon 2017, with the theme “Increasing the Filipino’s Awareness on Cybersecurity,” this November 28 at The Tent, Enderun Colleges, McKinley Hill, Taguig City. Marc Goodman, best-selling author of “Future Crimes,” will deliver the keynote. The conference is packed with practical insights and visionary prognostications on the state and future of cybersecurity in the Philippines and the world, with a host of experts and panelists from tech companies, government agencies, NGOs, industry associations and academe.

For more information, you can email or register online at

The author is a co-founder of Caucus Inc., a data privacy consultancy firm, where he also serves as a counselor. He teaches strategic management in the MBA Program of De La Salle University. He is also an adjunct faculty at the Asian Institute of Management. The author may be emailed at