British Airways has confirmed that a recent IT glitch that affected over 75,000 travellers was caused by human error.
The CEO of AIG said it was ‘difficult to understand’ the error on part of an engineer which led to the massive IT glitch.
IAG, the parent company of British Airways, has commissioned an independent investigation into the recent crisis and has promised to disclose details of its findings after the investigation is completed.
From what we know so far, it appears that the IT glitch was caused by a systems engineer who mistakenly switched off the power supply to the airline’s IT systems. According to Willie Walsh, chief executive of IAG, the engineer ‘was authorised to be in the data centre, but was not authorised to do what he did.’
“It’s difficult for me to understand how to make a mistake in reconnecting the power,” Mr. Walsh said.
The probability that human error caused the IT glitch was confirmed last week when a leaked e-mail suggested that ‘unplanned and uncontrolled’ handling of the power supply led to the widespread glitch.
“This resulted in the total immediate loss of power to the facility, bypassing the backup generators and batteries… After a few minutes of this shutdown, it was turned back on in an unplanned and uncontrolled fashion, which created physical damage to the systems and significantly exacerbated the problem,” the e-mail read.
The BA crisis has contributed to an emerging concern on how IT systems are highly vulnerable to human error. A recent research conducted by cyber security research firm Proofpoint Australia has revealed how social engineering and human behaviour manipulation are slowly overtaking cyber-attacks as the main weapons of hackers and cyber-thieves.
“Human targeted attacks continued to lead the pack in 2016. Attackers’ used automation and personalisation to increase the volume and click-through rates of their campaigns. Taking a page from the B2B e-marketer’s playbook, cyber criminals are adopting marketing best practices and sending their campaigns on Tuesdays and Thursdays when click-through rates are higher. Meanwhile, BEC and credential phishing attacks targeted the human factor directly–no technical exploits needed. Instead, they used social engineering to persuade victims into sending money, sensitive information and account credentials,” the report said.
According to the Business Reporter, “three quarters of large organisations suffered staff-related security breaches in 2015, and half of the worst breaches were caused by human error. But even though 42 per cent of executives say their information security training is “very effective” at boosting awareness of risks, just 28 per cent say it is as effective at changing behaviour amongst employees.”
Large organisations like the British Airways have security protocols, employee training, cyber-security practices and encryption policies in place but human error bypasses all these. Employees are prone to taking the easiest way out to do their jobs and do not use cyber-security technologies most of the time.
A lot of employees also use risky smartphone apps, click on phishing e-mails and do not use standard encryption practices while sharing data with third parties. Experts suggest that cybersecurity policies should be easy for employees to read and understand and should not create obstruction in the course of their work.
“The key here is to never underestimate the ingenuity of users. They will find a way around it to get the job done… Make it simple. If you lock it all down from the beginning it just makes business hard to do,” said Institute of Information Security Professionals director Andy Cobbett at The European Information Security Summit 2016 (TEISS).