Understanding the Human Element of Risk
December 22, 2020
People are the backbone of a successful organization. However, one seemingly small accident or malicious deed can quickly spiral into a significant financial and reputational crisis. Technology may accelerate the rate and spread of these incidents and malevolent deeds, and organizations need to have the capabilities in place to identify, address, and remedy threats, particularly those known to be caused by human error.
The Human Element of Risk
The human element of risk relates to either the purposeful or accidental acts performed by individuals within an organization that may lead to financial or reputational damage. As an organization reviews its risk environment, it should pay close attention to the human element of risk related to cybersecurity, occupational fraud, and physical security as these areas involve a high level of employee traffic throughout the workday. While these areas do pose a high-risk environment for an organization, they also provide an opportunity for employees to learn and proactively mitigate risk through education and internal communication. Below are specific risks and best practices associated with the human elements of cybersecurity, fraud, and physical security.
The impact of cybersecurity threats, particularly those caused by employees, has grown significantly over the past decade as organizations increase their digital footprint. According to Verizon’s 2020 Data Bridge Investigations Report, 30% of breaches are perpetrated by internal actors. While hacking is still the leading breach activity, phishing, social engineering, and human error accounted for approximately 30% of breach activities. Errors—ranging from misconfiguration (e.g., administrative access to non-IT employees), misdelivery (e.g., emails and documents provided to the wrong party), and publishing (e.g., posting internal information to external sites)—are driven by employees and can lead to costly lessons learned. The Verizon report noted incident costs can range from $1,000 to $100,000, while significant breaches within larger organizations can add up to roughly $3.92 million. These known risks provide organizations the opportunity to proactively take the following actions:
- Ensure the information technology department is up to date on industry best practices.
- Communicate methods and regularly train employees to recognize social engineering and phishing.
- Drive internal communication and policy updates to ensure all departments are aware of the dangers that exist for the organization.
All organizations can be susceptible to fraud, and a key factor in fraud is the people (e.g., members internal to the organization) who start and perpetuate the activity. Fraud is a serious matter that can significantly impact organizations. Fraud incidents can accrue, impacting both large and small businesses. For instance, the 2020 Report to the Nations from the Association of Certified Fraud Examiners offers the following statistics and information:
- The most common types of fraud are asset misappropriation and corruption, while financial statement fraud is the least common but most costly.
- Asset misappropriation schemes are the most common and least costly with a median loss of $100,000 per incident, while financial statement fraud is the least common and most costly with a median loss of roughly $950,000 per incident.
- Small businesses are hit hardest by fraud, being twice as likely to have billing and payroll fraud and four times as likely to have check and payment tampering.
- Methods to help deter fraud include implementing internal reporting mechanisms (e.g., hotlines), performing fraud risk assessments, and conducting internal audits to determine if mature controls exist that are regularly reviewed and tested.
Physical security is a key component to an organization’s risk environment. It is crucial that organizations protect their people and critical assets. Physical security often directly relies on an employee’s compliance to a set of policies or procedures, but these policies may be ignored by common courtesy practices like holding the door open for someone (e.g., tailgating). While many organizations establish physical security functions restricting access, such as visitor check-in procedures and employee key cards, employees need to be aware of the dangers that can arise from allowing unauthorized people into an office space including: social engineering, stolen identification, and theft of documents. A lapse in physical security resulting in inappropriate access can lead to stolen physical or intellectual property, installation of spyware, and/or a physical threat to employees. To help prevent these risks, organizations should:
- Regularly conduct training on security policies and procedures.
- Provide adequate resources and tools for employees to be empowered to report suspicious behavior, misuse of access cards, and misplaced/lost identification.
Methods to Monitor Risks
The human element of risk, both accidental and malicious, is a common threat for all organizations. Given the ever-evolving business environment and constant shifting of priorities and budgets, it can be challenging to internally plan and coordinate a response to the variety of risks that may arise in the workplace. It is critical for organizations to understand, adopt, and plan for the risks that may affect their business. The following risk mitigation practices and techniques can serve as an opportunity to evaluate the current risk environment related to cybersecurity, fraud, and physical security:
- Risk assessments that review the entire organization or specialized assessments to review key areas such as a cybersecurity program, human resources, information technology, and physical security.
- Internal audits to measure compliance to existing policies and procedures.
- Operational process improvement reviews to determine what key areas can be enhanced to both reduce risk and optimize functions within the organization.
- Updated policies around cybersecurity, fraud, and physical security and employee refresher trainings to ensure the updates are understood by employees.
If you are interested in learning more about how to mitigate the human risk element for your organization reach out to our team.
 2020 Data Breach Investigations Report. https://enterprise.verizon.com/resources/reports/dbir/
 2019 IBM Cost of a Data Breach. https://www.ibm.com/security/data-breach
 2020 Report to the Nations from ACFE Association of Certified Fraud Examiners. https://www.acfe.com/report-to-the-nations/2020/