Are you listening? Because, it's all your fault

In 2014 it was hard to avoid all the talk about cyber-attacks on huge organisations like Sony or Target. However, encryption service provider Egress released the results from a Freedom of Information (FOI) request and the results show that cyber-criminals should not be your biggest concern. It was revealed that over 90% of data breaches in 2014 were due to human error rather than deliberate attacks. That’s WAY more than it should be, especially given how easy those errors are to avoid!

How can it happen?
No fines have been issued to organisations for breaches due to technical faults, whereas there has been £5.1m worth of fines issued to those who have made human error breaches. Human error data breaches can happen in so many different ways but there has been particular emphasis on:
• Laptop theft – it sounds strange but it’s true, laptop theft accounts for a lot of data breaches. One example comes from Los Angeles when an unencrypted laptop was stolen from Cedars-Sinai hospital leading to a data breach of 500 patients’ medical data;
• Email – sometimes it’s hard to know whether email is our friend or foe, spam emails have resulted in many data breaches. The obvious example being American department store Target, who was the “target” of a massive breach that was traced back to a phishing email containing malware. As a result, thousands of customers’ credit and debit card information was compromised;
• Unauthorised access – where an organisations stores personal data, access to that data must be restricted to those who have the necessary job requirements. For example the person who comes to clean the office on a morning does not need access to the company data base.

What to do?
It seems like one of the best ways to stop this from happening is training staff and giving them the correct information. Whether it be giving them policy documents or holding training sessions, it needs to be done otherwise your organisation may be on the receiving end of an ICO fine! Training doesn’t have to be hard either, simple things like:

Passwords:
o Encourage the use of strong passwords, include upper and lower case letters, numbers and symbols;
o Have different passwords for each site accessed, therefore if one site is breached other sites, and the data on them, will not be in danger.

Email policies:
o When you receive emails from unknown senders, ignore them;
o Hover over any links on emails to check where they will lead you;
o DO NOT open any attachments from unknown senders!

Appropriate access:
o Role-based access control, only those who need access to data will have access.

Encryption:
o If, for example, a laptop is stolen but the data on it is encrypted, the loss is not a breach as it cannot be accessed;
o Encryption can also be applied to emails when personal data is sent via email.

Preaching to choir?
It may seem like this is all common sense for businesses but the recent FOI suggest that this common sense isn’t being applied. The alarming rise in data breaches due to human error from 2013 to 2014 can been seen across multiple sectors, for example the 101% increase for healthcare organisations and 143% in general business. Businesses can take simple steps to help bring the numbers down; after all, the statistics don’t lie!