The people problem: Human error continues as main cause of data breaches
Results of Egress’ latest Freedom of Information (FOI) request to the Information Commissioner’s Office (ICO) show that people continue to be the weakest link when it comes to data protection. In fact, the statistics reveal that two-thirds of sectors witnessed an increase in data breach incidents, with the main cause people sending sensitive data in error – whether by email, fax or post.
At the same time, data security has arguably never been higher up the boardroom agenda. 2015 has been dubbed by many as ‘The Year of the Data Breach’ following incidents involving many household names. Globally, senior executives from all sectors are actively improving policy and procedure to protect both customer data and themselves from a breach.
Why then, with increased time and financial resources being allocated to data security, do breaches continue to rise?
The elephant in the room: Your people
Ultimately, the answer lies in people’s ability to work autonomously of each other and any data protection policies and procedures their organisations may put in place. Employees will continue to make decisions in the workplace – and for the most part, this is obviously a positive. It means your organisation can function without the need for micro-management and excessive hurdles in the way of getting the job done.
People, however, will always make mistakes. When they’re processing and sharing sensitive information, this can cause a breach – complete with its implications of financial penalties from the ICO, high-profile media attention and inevitable loss of customer confidence.
Additionally, for many the technology currently in place for protecting sensitive data no longer reflects the way people work – let alone the fact that they’re likely to make mistakes.
Equipping employees with suitable information security technology
The results from the ICO demonstrate that many organisations are still relying on traditional mechanisms for sharing information, namely fax and post. However, these mechanisms are also acknowledged as some of the most insecure ways of sharing data. For instance, even if the fax number or postal address is correct, there is no assurance over who will actually be waiting at the other end to collect the information and what they will do with these hard copies. Additionally, for organisations in sectors such as legal and justice, the amount of paperwork increases exponentially and therefore so does the risk of a breach (as acknowledged by the ICO too).
Organisations therefore need to ensure that employees can access the data protection tools they require.
The nature of work has changed radically over the past few years – the rise of mobile working, in particular, has led to workforces spread not only nationally but also globally. Employees are also frequently encouraged to bring their own devices to work, in order to stay better connected with their projects.
The result of this? Data replicated across devices and environments, and being sent to an increased number of recipients.
Consequently, organisations need to look at the tools they are providing their employees with to share this data securely. Email encryption, for example, isn’t always the most suitable answer, and so organisations need to take a holistic approach that also includes sending large files securely and providing secure online workspaces as required. As we’ve also seen, end-users need a secure way to access and send information via a variety of devices, so apps for both desktop and mobile must also be accommodated for.
AI: The future of data protection
Alongside this, organisations need to be aware of information security vendors looking to expand the remit of current technology to improve protection of sensitive customer data.
Companies like Microsoft are already announcing their intentions of using AI to insulate organisations from hackers and other cyber-attacks.
However, with the greatest cause of data breaches people releasing data in error from inside an organisation, security solutions also need to defend against this. Every day, employees leave digital footprints; markers of what good behaviour looks like versus bad. Organisations now need systems to gather this data and analyse it to provide a mechanism for overcoming accidental data breaches.
In practice, for example, this would involve monitoring when employees choose to encrypt emails. If one employee always encrypts information sent to a specific recipient but one time forgets to do so, the system should question the end-user as to whether this was the correct decision to make. Similarly, if an end-user always shares files with a particular recipient named ‘Bob’ but one time accidentally tries to send them to another user named ‘Bob’ instead, the system should be able to question this decision. This will be more effective than continuously prompting users to always encrypt emails at the point of send. (In the latter scenario, they’re more like to automatically click to ignore the prompt and then realise they’ve made a mistake.)
Similarly, at an administrator-level, policies can be put in place to block certain IPs or check when users authenticate to access sensitive information from unexpected locations. If you know an employee should only be based at a UK address, then warnings should be issued if their credentials are then used abroad.
The future of data security lies in making it as simple as possible for end-users and administrators to engage with the technology put in place to protect sensitive information. It should not be a hurdle to productivity but instead a tool for making smart decisions that protect customer data. Organisations need to start now by putting in place effective technology and looking to move forward with vendors ready to tackle the biggest elephant in the room: your people and the mistakes they are going to make.