Data privacy is a non-negotiable in today’s workplace. But data protection can be complex to implement and difficult to monitor risk, meaning that not all organisations have the capacity or the expertise to keep up to scratch.
According to the Office of the Australian Information Commissioner (OAIC), data breaches in Australia have increased by 700% in the last year alone. Interestingly, while 60% of data breaches were attributed to malicious or criminal attacks, a staggering 35% of breaches were attributed to human error.
Employees are a significant risk to the organisation’s data. Human error breaches can be as simple as sending an email to the wrong recipient or accidentally disclosing confidential information. So even with cybersecurity measures in place, data is leaving organisations without staff even being aware they’ve leaked it.
Luckily, human error is manageable because many organisations share similar and easily addressable workplace mistakes that expose them to breaches. Let’s look at simple ways data is leaving an organisation and what you can do to minimise the risk.
Lack of security awareness
A general lack of awareness of cybersecurity and data privacy requirements is the leading cause of data breaches due to human error. While cybersecurity may be top of mind for business owners, employees on the other hand may not be aware of cyberthreats or necessarily understand the risks associated with unintentionally leaking data.
Threats, especially phishing attacks, are becoming a lot more sophisticated and cybercriminals are devising methods to lure employees into sharing sensitive data. Antivirus and cybersecurity solutions are one way that organisations can defend against threats, however, awareness needs to be the first point of defence. Awareness can be improved through the following strategies:
Internal awareness assessment
This involves assessing the knowns and unknowns about cybersecurity in the organisation. This can be achieved through a companywide survey or a workshop to understand the current awareness level amongst all employees. External consultants can also be employed to perform a security risk assessment and tests on employees to understand the gaps in their knowledge.
Cybersecurity education
It’s important to assume that not all employees have an understanding about threats and how human error breaches occur. Therefore, cybersecurity education should be an integral part of the employee onboarding. To ensure employees stay up to date with the current threat landscape, organisations can also schedule more regular security training sessions to refresh employees on the data privacy policies and update them on sophisticated attack methods.
More on data and security issues: Here’s why businesses desperately need to give their data the Marie Kondo treatment
Appointing internal champions
Allocating roles and responsibilities to employees for developing and maintaining proper security practices within an organisation is essential. A method to apply this is through the principle of least privilege (POLP) and ‘sharing data on a need-to-know basis’ as the best way of providing employees data. This method restricts the amount of data that can accidentally leave the company through human error.
Passing on confidential data to external accounts
Human error typically occurs when, unawares, an employee emails or sends sensitive information to an external address or uploads it onto their cloud storage services without the proper security measures in place. This means data is sent out of the organisation with the risk of it being shared further through secondary, less secure sources.
A way to minimise this risk is to ensure employees understand the different levels of sensitivity when it comes to sharing data and have the proper processes in place to treat the information at hand accordingly. This way, employees will follow protocol when sensitive data is being shared across the organisation or with a third-party supplier.
Ensuring the security of mobile phones or portable devices
An employee might upload confidential customer data onto their personal Dropbox account, for example, which may be connected to their mobile phone or laptop. The risk this poses for a company’s security is exponential.
A mobile phone can provide direct access to corporate data. A portable device (e.g. laptops, mobile phones and tablets, etc.) might be more easily hacked, being outside a corporate network and without the latest protection from malware. Similarly, a personal Dropbox account can be compromised if suitable password practices haven’t been maintained. To limit these risks, you need to have the right security controls in place.
However human error is inevitable, so establishing a suitable mechanism for managing portable devices is an important part of every organisation’s security posture. Establishing suitable encryption mechanisms for corporate data across all devices is one practical step. The ability to disable or even wipe lost or stolen mobile devices is another. To improve security and minimise the risks for all email and data storage systems, organisations can also implement email or web content filtering systems to prevent access to potentially compromised links and content.
Realistically, data breaches as the result of human error are unavoidable but the risk can be minimised across the organisation through simple, inexpensive methods. Employees need to be aware of how data may be leaving their organisation, what the impact might be and what they can do to prevent unintended consequences.
Sylvia Choa is Cybersecurity Principal Consultant at KJR. Follow her stories on our LinkedIn, Twitter, Facebook and Instagram.