The growth of the cyber security market should come as little surprise to anyone in the industry: as the more data is stored and sent digitally, a breach becomes more likely.
There has also been major legislative reform that has redefined how organisations handle sensitive data and plans to introduce harsher penalties for those who fall foul. The result? A booming cyber security industry.
So, given clearer rules around data protection and more money than ever before being spent on preventing a breach, it would be reasonable to expect the number of reported incidents to plateau or, preferably, decline.
Yet overall this isn’t what we’re seeing. (And with mandatory data breach reporting coming into effect for all industries from 2018 as a result of the EU General Data Protection Regulation, as things currently stand this seems unlikely to happen in the near future either.)
The results of a recent Freedom of Information (FOI) request to the Information Commissioner’s Office (ICO) revealed a general upward trend of breaches for 66% of sectors since 2014.
The worst offender was the courts and justice sector, which recorded a rise of 500%. Other organisations that experienced a concerning growth in breach incidents are insurance firms (317%), general businesses (157%), solicitors and barristers (127%), and charities (109%).
Although not experiencing such a dramatic rise in breaches at only 13% increase, healthcare organisations continue to top the list for total number of reported incidents per quarter.
The people problem: human error remains the root cause of data breaches
Once again, the main cause of these breaches (accounting for 62%) was human error.
More specifically, people sending sensitive data in error – whether by email, fax or post. This far outstrips other causes, such as insecure webpages and hacking, which stands at 9% combined.
At this point, logic dictates that we must not be spending financial resources on the correct products – those that tackle human error.
Research conducted earlier this year has backed this up, showing that only 20% of CIOs and senior executives consider human error a top priority. To compare, 49% are focusing on external hackers.
Employees obviously have to be trusted to work autonomously, otherwise business will suffer from inefficient micro-management and excessive hurdles in the way of productivity.
However, this is a double-edged sword and also means that they can work autonomously of, and sometimes in conflict with, data protection policies and procedures.
People will also always make mistakes – and when they’re processing and sharing sensitive information, this can cause a breach.
In turn, your company may face financial penalties, high-profile media attention and loss of customer confidence.
Additionally, organisations are failing to equip their employees with technology that helps protect against the risk employees pose to sensitive data.
It’s time for a new approach: using AI to tackle human error
When getting to grips with this issue of human error, organisations need to be looking at security vendors who are working to push the limits of what technology can do to mitigate the risk.
Let’s take the example of the ‘accidental send’ – that is, an email sent in error to the wrong recipient (perhaps due to the ‘autocomplete’ feature in many email clients).
Sometimes the only consequence is the sender being left slightly red-faced and needing to resend the email to the intended recipient.
However, when sensitive customer and corporate data is involved, the stakes become significantly higher.
Companies like Microsoft are already announcing their intentions of using AI and big data to protect organisations from hackers and other cyber-attacks.
However, with the greatest cause of data breaches people releasing information in error from inside an organisation, security solutions also need to defend against this.
What’s more, your people remain your biggest asset. Their situational analysis enables them to make more complex decisions in any sharing scenario – for example, the introduction or removal of a specific individual from the sending chain or knowing what time and for how long someone should be able to access sensitive information.
So, a new approach is needed but it must be one that combines both man and machine!
How AI can mitigate human error in practice
Every day, employees leave digital footprints; markers of what good behaviour looks like versus bad. Organisations now need systems to gather this data and analyse it to provide a mechanism for overcoming accidental data breaches.
Continuing with our example of the ‘accidental send’, in practice this would involve software monitoring when individual employees choose to encrypt emails.
If an end-user always shares files with a particular recipient named ‘Bob’ but one time accidentally tries to send them to another user named ‘Bob’ instead, the system should again be able to question this decision to make sure they haven’t fallen victim to ‘autocomplete’ or any other mistake.
Similarly, if the employee always encrypts information sent to a specific recipient but one time forgets to do so, the system should question the end-user as to whether this was the correct decision to make.
This system will arguably be more effective than one that doesn’t introduce AI but continuously prompts users to always all encrypt emails at the point of send.
In this scenario, your employees are likely to become desensitised to the prompt and automatically click to ignore it, only afterwards realising they’ve made a mistake.
Meanwhile, at an administrator level, policies can be put in place to block certain IPs or check when users authenticate to access sensitive information from unexpected locations.
If you know an employee should only be based at a UK address, then warnings should be issued if their credentials are then used abroad.
Overcoming human error should be a main priority for organisations looking to protect themselves from a data breach and all associated negative consequences.
The future of data security therefore lies in making sure that technology is able to detect the errors your employees are guaranteed to make and alerting them to the fact before it’s too late.
It requires software that can collate big data based on user patterns and trends, and analyse this information to make sure the best possible decision is being made in any situation.
Organisations, therefore, need to start now by putting in place effective technology to mitigate this issue and look to move forward with vendors committed to defeating the age-old problem of human error.
Sourced by Tony Pepper, CEO, Egress Software Technologies