Human Error Responsible For Majority Of Data Breaches
Since it became compulsory to report data breaches in May of this year, the Information Commissioner’s Office (ICO) has seen the amount of reported data breaches increase by almost 500%. The ICO also reported this year that 80% of data breaches occur because of human error.
With a huge sprawl of data within most organisations, those tasked with data protection are struggling to contain the risk. A report produced by Experian found that 66% of data protection and privacy training professionals surveyed said that employees were the weakest link in cyber security.
Mistakes include sending emails to incorrect recipients, loss or theft of hardware, mismanagement of paperwork and succumbing to manipulation to download files, click on links, open unknown attachments, and enter secure information when asked.
To reduce the human risk element, businesses need a robust combination of people training, secure processes and efficient technology.
System complexity means there is a danger that employees will try and find easier ways around things, ignoring security policy. Training and awareness are essential to drive home the message that security safeguards are paramount.
A cultural shift is needed to make data security a way of life for organisations. While human weaknesses exist, hackers will target them. Regular training can start to make users the strength of the system, rather than the weakest link according to the report.
Employees need to be aware of the extent of the data within their control, how to identify a data breach and how to immediately implement the correct procedure, to include any external reporting to the ICO if necessary.
Training exercises help to ingrain good cyber security habits and while there will always be some element of human error, education and raising awareness will go a long way to reducing it.
Businesses need to review policies and ensure that they have strict identity and access management protocols. Users should be given only the minimum amount of access necessary to do their jobs.
Administration procedures should be as tight as possible, for example by requiring confirmation of email attachments to external parties and stopping auto populate options for email addresses.
While it is now a legal requirement to report a personal data breach to the ICO, this is only required where there is a risk to the rights and freedoms of an individual. The ICO warns that over-reporting is occurring, as organisations err on the side of caution by reporting everything. Over-reporting could result in scrutiny from the ICO as well as damage to a firm’s reputation.
As hackers look to target weaknesses, it is time to do everything possible to increase knowledge and awareness amongst all users. Implementing efficient training programmes will not only bring data protection to the forefront of people’s minds, it will also allow organisations to demonstrate compliance with legislation.
What do you think is the biggest weakness amongst users when it comes to personal data security? And how could this be addressed?