Why a security incident is not always the administator’s fault
No one wants to become a victim of a cyberattack. Organizations invest in security systems, regular backups, firewalls, and network monitoring, while the experience and knowledge of employed specialists form the foundation of protection. Nevertheless, incidents still happen. Sometimes, howeverm their cause lies beyond the direct control of the IT administrator. Why?
Are best practices not enough? Human error as the main cause of incidents
Administrators make every effort to mitigate the risk of security incidents. They configure password policies, organize training, update software, and conduct audits and penetration tests… However, even in the best-secured organizations, a single user error can expose the company to a serious incident. According to the IBM Cyber Security Intelligence Index report, over 95% of security breaches result from human error.
Common threats repeated by users:
- opening attachments from fraudulent emails (phishing),
- reusing the same passwords for multiple accounts,
- ignoring system alerts,
- installing unauthorized applications,
- postponing updated “for later”.
Ransomware attacks, phishing, and account takeovers are primarily the result of employee carelessness, which cybercriminals are well aware of. If we add the use of weak passwords, their replication, and improper storage to the mix, we are essentially opening the gate for them. Even the best IT team cannot watch over every single user in an organization. For this reason, when a security breach occurs, a crucial question arises: who is actually responsible?
What happens after a cyberattack?
IT administrators face a difficult task – they are responsible for the organization’s security but cannot prevent every human mistake. In the case of a post-attack investigation, a vital aspect is demonstrating that the organization applied appropriate practices and security measures. If an administrator can prove that they took care of the safeguards, but it was the employee who consciously ignored them, they will have a strong argument for defense. There is a chance that such information will become a significant mitigating circumstance, which can substantially influence legal and financial consequences.
Transparency and accountability support the administrators
This is where the role of solutions such as password managers comes in. They not only facilitate the management of access credentials but also provide tools for monitoring and reporting their security levels.
Perc.pass offers full transparency and accountability, allowing you to track whether users are complying with internal security policies – such as password complexity levels – and to verify potential leaks.
Through advanced reporting mechanisms, an administrator can demonstrate that the organization provided a secure tool, and the error lay with the user who intentionally did not use it or failed to secure their authentication data. Such documentation is crucial when clarifying responsibility for security incidents and can influence the direct assessment of the cause of the breach. Continuous reporting and maintaining detailed documentation are also vital elements necessary for building compliance with the upcoming NIS2 Directive.
How to protect the organization and administrators
If administrators want to effectively protect their company and themselves from the consequences of incidents, they should ensure they have evidence that they took all necessary steps to secure the systems. This means that besides the technology itself, documentation of actions and transparency of processes also matter.
Perc.pass increases the level of protection and helps enforce security rules within the organization. In a world where every vulnerability can cost millions, this value is priceless.
FAQ – Frequently Asked Questions
What exactly is a security incident?
It is any event that could lead to a breach of the confidentiality, integrity, or availability of an information system, data, or services – e.g., a hacking attack, phishing, data theft, or malware infection.
Is the IT administrator responsible for every incident?
No. If the administrator has implemented the required security measures and the incident resulted from user error, the responsibility may be shifted. Maintaining proper documentation is key.
Does the NIS2 Directive affect how security incidents are responded to?
No. If the administrator has implemented the required security measures and the incident resulted from user error, the responsibility may be shifted. Maintaining proper documentation is key.
What actions should be taken after a security incident?
Report it to the relevant authorities (e.g., CSIRT), secure the logs, initiate an internal investigation, and document the course of events and the remedial measures applied.
What tools help demonstrate preventive measures?
SIEM solutions, password managers (such as perc.pass), EDR/XDR class systems, auditing tools, and event logs.
Looking to enhance your cybersecurity?
Contact us!
Leave your details – we’ll call you back
Our specialist will get back to you no later than the next business day. You don’t have to fill in the message field, but a brief note about the topic you’re interested in will be a valuable hint for us.
