Norman Shaw, Founder and CEO of ExactTrak, on human error as the main cause of data breaches and to protect against it.
Cyber attacks like the recent Ashley Madison incident make great headlines but as many within the security industry will know, it’s not only external threats that we need to worry about. One of the biggest threats out there is human error which means you need to protect your data from your employees just as much as you do from hackers.
The recent Big Brother Watch report and the Thomson breach illustrate that human error is going nowhere so it’s time for organisations to understand why this continues and how to protect against it – because the new EU data protection laws will wait for no one.
Human error is nothing new
Unfortunately, the issue of human error within data breaches won’t be a revelation to anyone reading this. There is broad agreement within the industry that it is the cause of most breaches. The IT Policy Compliance Group says 75% of ALL data losses is human error, the Aberdeen Group says 64% and most recently, CompTIA said 52% of the root cause of security breaches is human error.
Big Brother has been watching
The recent Big Brother Watch report claimed that local authorities had 4,236 data breaches in the last 3 years – that’s almost 4 data breaches every day. And to add to the bad news, there were many repeat offenders – 10 of the local authorities had 100 or more data breaches during that time, with Brighton and Hove reaching a whopping 190 breaches.
The vast majority of the causes were human error with lost mobile devices and yet again, employees sending the wrong data to the wrong people; specifics included:
– 197 mobile devices including phones, computers, tablets and USBs lost or stolen,
– more than 5,000 letters sent to the wrong address or included content meant for another recipient,
– 628 instances of incorrect or inappropriate information being shared on emails, letters and faxes.
The case of Thomson
Of course, data breaches aren’t limited to public bodies. In the case of Thomson, a private holiday company, an email was sent in error that contained the home addresses, telephone numbers and flight dates of 458 people – holiday goers that now fear the company has opened them up to burglaries whilst they’re away. The cause? A simple case of an employee making a mistake; human error strikes again.
So the question arises as to why this keeps happening and how should organisations deal with it?
Why human error happens is simple – people are people and they make mistakes. Why it keeps happening is more complex but usually because people, and organisations, haven’t learned from their mistakes and haven’t put processes or policies and procedures in place to stop it happening again.
EU data protection regulation
With the new EU data regulation laws on the way, all organisations will need to have their data ducks in a row. With fines to the tune of up to €1 million or 2% of a company’s annual worldwide turnover for a data breach, coupled with all the bad reputation that comes with a breach, organisations will soon have nowhere to hide.
Protecting your organisation against human error
The key thing to remember when looking to secure your company against the internal threat of a data breach is that human error isn’t going to miraculously disappear. No matter how much you do to protect your organisation against a data breach, mistakes will happen and breaches will occur so organisations need to consider what will protect them both before and after the fact.
Here are what I think are the top three things to focus on:
Culture – how employees deal with data is often learnt on the job so if senior management are serious about how the company handles data to protect itself against a breach, that culture should drop down to everyone. It’s the softer side of things but the right attitude towards data helps to limit the likelihood of breaches.
Rules – all organisations need to put processes in place so that employees know how to deal with data. As part of the new EU law, organisations will be expected to give notification of a data breach within 24 hours – so EVERY employee needs to know what the policy is to report a breach internally, and the ramifications of not reporting a breach.
Technology – for remote workers with USBs, laptops, and mobile phones on the move, companies need more than encryption which is difficult to prove after the fact. Organisations need to consider geo-location tracking, technology that provides a verifiable audit trail, and the ability to destroy data remotely if it’s lost irrevocably.
Remembering that people will still sometimes make mistakes, you’re looking for technology that will both help prevent a breach in the first instance but also help protect you in the unfortunate instance of a breach.
Human error isn’t going anywhere and that’s the starting point from which organisations should be coming from when trying to secure data.