Until we fundamentally rethink how humans share content, messages and data, this security problem is only going to get worse.
While the technology we use is often far from perfect – hence the need for constant security patches and upgrades – most of the major security breaches we’ve seen have been spread by people.
People can be easy to trick. They forward emails with infected attachments (as was the case with Wannacry), click links to dubious websites and unwittingly grant fraudsters access to their email and systems.
Even a simple slip, like a typo in an email address, can result in us emailing confidential data to the wrong person. Once that email is sent, we have no idea what will happen to that content. Will it be read? Will it be copied, or even sold?
Strong network security is a must-have, technology alone cannot solve the issue of security risk and data breaches – we need to change how we share content.
We are the weakest link
A 2016 Freedom of Information request urged the Information Commissioners Office to release information on the causes of data breaches. Data it released showed that human error accounted for 62% of incidents. Of these, 17% were due to posting or faxing data to the wrong recipient, 17% of breaches were caused by loss or theft of data, and nine percent of incidents happened because someone emailed the data to the wrong person.
BakerHostetler’s analysis of security incidents it handled in 2015 found that while 31% of breaches were due to phishing, hacking or malware, 24% were due to something an employee did, or a mistake they made. An additional eight percent was due to internal theft and six percent of incidents were down to the loss of a device or improper disposal of data. So 38% of incidents were a result of employee action.
Another study – IBM’s 2016 Cyber Security Intelligence Index – found that 60% of all attacks originated from insiders; 75% were malicious, while 15% were due to human error or manipulation.
While comprehensive IT security remains vital, our actions can still undermine it. For example, end-to-end encryption is important for any sensitive communication, but once we sent that email we have no control over what happens to the content. We’re relying on the person at the other end to have sound data management practices and IT systems as secure as ours are. They could just as easily be downloading that sensitive data onto USB and taking it home with them.
People aren’t perfect. We make mistakes. We leave mobiles on trains and email the wrong people now and again. Most of the time, while people are the weakest link in an organisation’s IT security process, they aren’t to blame for incidents (unless they act with malicious intent). The real culprits are the poor processes and procedures of the organisation that allowed people to share and access data in an insecure way.
By sending data we’re compromising the security of the information we share. It’s common sense we should stop sending data and it’s time to apply some everyday behaviours to the workplace. Think of it like this, would you allow someone to traipse their muddy boots through your house, leaving footprints everywhere or would you simply conduct your business at the front door?
Instead of one true copy, footprints of the file now exist on multiple devices, have multiple versions and are being viewed and edited by an unknown number of people. If we shift our focus by having one version of the data on a secure server with strict access controls, we can retain full control over who does what with the data we hold. It stays in our control. By ‘pushing’ information out, rather than sending it, organisations can retain full control over what happens to it and who has access.
We’re not being trained to identify threats
The 2016 Experian study – Managing Insider Risk through Training & Culture – found that 66% of respondents identified employees as their biggest security risk. Sixty percent of the respondents also said that their employees lacked knowledge and understanding of the security risks faced by the business.
Of those that did get training, 43% said the training was basic, and often did not cover essentials of modern business practices – like mobile device security and working in the cloud. It didn’t cover basic fraud methods such as phishing. In fact, 49% of respondents said that training wasn’t even mandatory.
The social engineering being used by fraudsters and hackers is becoming increasingly sophisticated. If organisations don’t take the time to educate and inform their employees about the risks they could encounter, they’re leaving themselves vulnerable to all kinds of attacks.
With GDPR coming into force in May 2018, these organisations could face fines running into the millions unless they rethink the way they manage and share data.
Data management for the digital age
Organisations should be digitising their data management, but they need to store this data in a way that’s both secure and has diligent access management rights. They need to assess who has access to what data and why. What is the data being used for?
Does everyone need write access to the data? Is there a way that the data can be shared, but never leave the secure server it’s stored on? Is there a way to see who has been viewing the data, or a way to prevent these people from downloading or taking screen shots of the data on their screens?
Those organisations that work with third parties must manage the additional risk of outside organisations being responsible for the data breaches. The fact is, if a major business suffers a data breach, it’s not the unknown third-party supplier that will hit the headlines, or face the reputational backlash from the public.
Read more: Top 7 deadliest ransomware attacks
Organisations have to ask themselves how they will manage this additional risk. Is there as secure system that they can put in place? Can they require that their partners be as rigorous in their data management processes as they are themselves?
Until we fundamentally rethink how humans share content, messages and data, this problem is only going to get worse. But with the right software, systems and training in place, organisations can create a secure environment for the data they hold. They can create a fail-safe for fallible humans.