New report shows the staggering scale of breaches due to human error
It's usually outsider attacks that grab the headlines, but new figures from Big Brother Watch really bring the impact of human error to the fore
Vast amounts of personal information are shared every day in exchange for better, more efficient services. From local authorities to restaurant chains, every organisation is keen to access our data.
Consumers in turn expect businesses to keep that information secure and ensure access is only granted for the purpose we intended. Yet a new report by the Big Brother Watch has revealed that this confidence is often misplaced.
The report, A Breach of Trust, found that between April 2011 and April 2014 local authorities committed an average of four data breaches a day and the majority of these breaches were due to human error.
Whether sending letters to the wrong recipients or leaving sensitive documents behind on a train, employees made errors which left citizens vulnerable to data theft. When considering the type of sensitive information kept on file by local councils, from dates of birth to child protection reports, human error is clearly a data breach factor which needs to be addressed.
Many data breach headlines stem from large scale hacking attacks but most incidents of data loss are in fact a consequence of human error. Many of these data loss cases are not reported and staff often turn a blind eye - management often don’t perceive a naïve employee to be as big a threat as a malicious hacker intent on stealing sensitive data.
Yet organisations should be aware that the consequences of human error can be just as serious as those data breaches caused by external attacks.
Companies today dedicate large portions of their budget to defending against attacks from beyond the corporate firewall, but ignore the real risk of errors from employees who routinely breach IT policies and place company documents at risk.
Intralinks and Ponemon Institute research into the security threat caused by unsanctioned file sharing revealed that just over half of respondents do not believe their organisation has the ability to manage and control user access to sensitive documents and how they are shared.
This should be a major concern for employers. Although it may be an uncomfortable truth, staff routinely follow bad practice when sharing data and collaborating with colleagues. Organisations are left unprepared because defence mechanisms in place to protect against data breaches are often insufficient.
The scale of the problem caused by human error was revealed within the same research. A worrying 61% of respondents confirmed that they do not follow policy on document deletion, they frequently fail to delete confidential documents, use personal storage and file sharing apps for enterprise assets and had accidentally forwarded documents to individuals who had not been authorised to access them.
Improving staff education on risky data sharing behaviour is one answer to the problem of human error but it does not resolve the issue of genuine mistakes. We do make mistakes: no one is infallible.
While training and education are steps in the right direction, businesses need to ask themselves how they can effectively reduce the possibility of suffering an accidental data leak.
Combining user-focused strategies such as data protection training for staff with technological solutions can offer businesses peace of mind. To counteract the threat of employee error, organisations should be investing in technology which enables safe collaboration and secure sharing while also offering back-up security features.
Technologies such as Information Rights Management (IRM), for example, can make it easier to protect and control sensitive information once it has been shared, and manage who has access to a document throughout its lifecycle.
IRM technology enables businesses to apply policies to individual files or types of document, keep the data owner in control and even revoke access to shared files regardless of whether they have been copied, shared or saved elsewhere. If for any reason the document needs to be retracted, it can be effectively destroyed remotely in a click leaving no trace of the content.
The recent Breach of Trust report revealed 99 cases of unauthorised people accessing or disclosing data. Rather than abandoning this data to the unknown, IRM technologies would have given employees visibility into how and where these files were being shared, viewed and distributed while also enabling them to retract access to this data, thereby protecting sensitive information from prying eyes.
Every organisation today requires the freedom to share critical documents and data online. It is unrealistic to believe that human error can be completely eradicated but controls that safeguard sensitive data, no matter where it resides, can mitigate against the risk that a malicious or careless employee will cause them huge fines and a damaged reputation.
The data revealed by this latest Big Brother Watch report highlights the issue of human error in the workplace and should encourage organisations to reassess their technological controls in the constant struggle against user mistakes.
Local authorities may have been brought into the spotlight for their role in losing sensitive data, but we can be sure that many businesses out there are wondering how they would fare if their employees were subjected to the same scrutiny.
Sourced from Richard Anstey, EMEA CTO, Intralinks