The Data Privacy & Tailored Risk Blog

Human Error as the First Cause of Data Breaches and How to Solve the Problem - PrivIQ

Written by Nick Eckert | Jan 17, 2019 5:00:00 AM

With so many cases of data breaches being reported, you may be wondering whether hackers have become cleverer or whether organisations are not giving data protection the seriousness it deserves. Unfortunately, many organisations may not know human error is one of the primary data breach causes. Often, inappropriate data handling policies and procedures, not to mention negligence and lack of vigilance by data users, are what expose information to intruders (or hackers if you like). Some of the most obvious mistakes made by data system users point to such things as lost or stolen paperwork, leaked passwords and sending emails to the wrong recipients, etc.

What exactly causes human-related data breaches?

Data users, specifically employees, expose organisational data systems to hackers by making simple mistakes that can easily be avoided. Here are many of the most common data breach causes.

Use of weak passwords

A password such as your spouse’s name or your birthday could be easy to remember but can also be correctly guessed by someone else, or can be cracked by the so-called brute-force attack, with ease. A shared password is also a risk factor, as you just don’t know who else it will be shared to, staff mates with malicious intentions included. Additionally, if one password is used by employees across multiple accounts, all the accounts risk being breached, in case one of them is accessed by attackers.

Low data security awareness

Not everyone updates themselves on data security matters. Often, employees fail to update the software they use, perhaps because they don’t realise how important it is to update such software, or just because update notifications come at a time when they (employees) are swamped, working on their regular tasks. Even worse still is the fact that even the smartest employees fall prey to scammers who spread malicious email links. They click on these links without realising how harmful they are. In some cases, employees create vulnerabilities by inadvertently downloading malicious software or plugging in devices whose security may already be compromised.

Careless data handling

Employees deal with large amounts of data on a routine basis. As such, making mistakes during data transfers is not unheard of. Wrong typing of the recipient’s email address or attaching the wrong file to the email could mean that the organisation’s sensitive information lands in the wrong hands.

Uncontrolled data access

Granting employees too much access to data is another human mistake that exposes data systems breaches. Uncontrolled data access may result in unauthorised system changes, as the employees may want to make their job easier or speed up the data system. Unfortunately, such changes may hinder the normal operation of the organisation. The data system may be brought to a halt in extreme cases. In such an open data access setting, employees also gain access to system configurations and information that they are not authorised to access, leading to data leaks.

Negligence of proper security procedures

Most employees put their work first before everything else. They focus on completing their work fast, even if it means compromising the data security of the organisation. Data security features, such as updates, are very critical to the efficiency of the organisation’s overall data protection. However, these updates take too long to complete; hence, employees tend to ignore them. Some employees may also decide to turn off important data security features they deem to be intrusive. These human actions can easily expose the whole data system to breaches.

Examples of data breaches caused by human error

Having said that human errors play a significant role in data breaches, it’s essential to know some of the well-documented breaches caused by this human element.

Anthem

In early 2015, Anthem, a health insurance company in America treated the world to the shocking news that attackers had gained access to their data system, stealing social security numbers, income data, and addresses of the company’s employees and clients. It was claimed that someone had initiated a database query using one of the company administrator’s unique identifier codes. As many people believe, the attackers employed social engineering methods to steal the code. This breach affected at least 80 million clients.

EBay

In 2014, the news had it that some attackers stole the credentials of up to 100 eBay employees. This information was used to access the internal network of this e-commerce site. The attackers exfiltrated the details of about 145 million clients of the company, including their names, physical addresses, email addresses, and passwords.

Sony Pictures Entertainment

It all began when the company’s top executives received fake Apple ID verification messages via email. Each email redirected the recipient to a phishing website, which accessed the Apple information of these executives. The attackers also used the information to gain access to LinkedIn profiles of the company employees, as they tried to access Sony’s network. The attackers would cripple the computer networks of the company, making off with a 100 data terabytes.

NHS

In September 2015, a SoHo clinic staff sent out a newsletter to 781 “Option E” subscribers. In the process, the sender accidentally entered the emails into the ‘To’ field instead of the ‘BCC’ field, allowing every recipient to view every other recipient’s email address, as well as their full names.

Best practices to prevent human-related data breaches

Although there are cyber security mistakes that occur occasionally, others could be systematic (think using weak passwords). And while their damage to your business may not happen immediately, such errors are indeed a disaster in waiting. If they’re not moderated in time, they will result in data breaches and leaks, which may require vast sums of money to fix. However, you can employ the following practices to protect your business from human security mistakes effectively.

Employee education

Training your employees on data security matters creates security awareness, which goes a long way in lessening or eliminating mistakes. Educate them on secure methods of handling data and the extent of damage that data breaches can cause. Let this awareness be in their DNA.

Implementation of effective security policy

It’s critical to formalise security rules and regulations in your organisation by writing them down. The policy document should clearly outline how data should be handled, the monitoring software that should be used and how passwords should be managed, etc. Every employee should be familiar with the data security policy, and the policy should be enforced to the letter.

Limited privileges

Unless it’s absolutely necessary, all the employees should not have the privilege to access every bit of data in your company. It’s safer to allow them only to access information that is necessary for them to work. Any other data should only be retrieved when there is an unavoidable need. This helps to prevent any accidental data deletion and leaks.

Employee monitoring

Distinguishing regular user activities from security mistakes may be difficult. This makes it possible for the errors to go unnoticed for an extended period, which renders your data vulnerable to breaches. Using employee monitoring software is one reliable way of detecting and fixing the mistakes as soon as they happen.

Prevent human errors with GDPR365

Want to eradicate data breach causes resulting from employee mistakes? Use GDPR365, a purpose-designed programme loaded with built-in GDPR guidance, data risk assessments, data breach management, subject access management, and other GDPR compliance aspects. With all these features, GDPR365 secures your data like no other.


START NOW YOUR FREE TRIAL