Despite these measures, security breaches still happen. The majority of security breaches are not primarily caused by hackers, as may be suspected. The primary cause of data breaches and therefore data loss is human error from within the organisation.
However, although human error breaches are not as financially devastating as those caused by hackers according to the 2019 Cost of a Data Breach Report by the Ponemon Institute, the average cost of such breaches was $3.5million.
What is human error?
Human error occurs when a person involved within an organisation carries out an action mistakenly or unintentionally, that causes problematic interference to a task or system. This could be damage to software or hardware, for example. Examples include the accidental deletion of a file, poor configuration, accidental physical damage, or lack of skills required to complete a task, to name a few.
What are the most common causes of data loss?
Data loss caused by human error is not always down to ‘users’ and some of the most catastrophic errors are actually made by IT management and can include;
- Weak data handling procedures.
- Unclear data security policies.
- Poor staff training programmes on cyber security.
- Poorly configured network systems.
- Access rights given to the wrong members of staff.
The most common preventable human error examples of data loss include:
- Deleted files – It’s easily done. Files get deleted and then the IT department has to try to retrieve them, often having to go to an earlier data backup. However, this may not include hours of work carried out since the backup was made. Often the deletion may not be noticed for weeks or months making retrieval even more difficult.
- Misplaced files – Documents on a network could be misfiled into the wrong folder meaning it could be effectively lost to the workforce. There is also the additional concern of hard-copy files containing data being misplaced.
- Weak passwords – These could be the name of your children or your favourite TV show or having the same password for every login. Passwords should be complex with between 8 and 10 characters with a combination of upper and lower case, numbers and characters. Passwords should also not be shared or written down in an easily accessible document.
- Out of date software – Although you may have installed the most up-to-date security software on the market if it is not updated regularly it stops being effective.
- Phishing links – Even the most IT savvy member of staff may fall for a phishing scam by clicking on a link in an email (or an SMS) that seems to have come from a legitimate place.
- Careless data handling – Many people have emailed the wrong person or attached the wrong document to the email meaning that sensitive data ends up inadvertently in the wrong hands. Additionally, sensitive data may be sent via unsecured and unencrypted email attachments or accidentally published on public websites.
- Inappropriate data access – Some users are granted access to data on the company’s network for which they have no need. As well as offering access to data they shouldn’t see, users could also have access to admin rights which could enable them to delete data or change configurations that have a far-reaching effect.
- Not adhering to security procedures – In an attempt to complete work quicker or to reduce the inconvenience created by extra security measures (such as updates or notifications) some users may cut corners on the security and therefore compromise data security.
- Ransomware – A ransomware attack happens on average every 40 seconds, and often access is gained due to human errors. Often ransomware is delivered to the user by spam or phishing emails where a link or an attachment contains the virus.
For information on this subject, read our blog: Most Common Causes for Data Loss . You can read more about our backup and disaster recovery services here.
How can data security prevent human error?
It is impossible to prevent all human error. However, by implementing some security best practices within your organisation, such errors can be reduced.
- Implementing a security policy – Ensure all security and data security policies are defined and clearly recorded. These policies should outline how data should be handled and by whom as well as the software and procedures in place.
- Training – Regular training to ensure all staff are clear on security policy but also why such measures are in place and the implications of making an error.
- Appropriate access – Users should only have access to the data they need to complete their job. This prevents any accidental deletion or changes to important data or configurations.
- Employee monitoring – Knowing what staff is doing (or not doing) at any particular point is impossible and therefore data breaches may not be noticed for some time. However, using employee monitoring software can identify erratic or inappropriate behaviour before it becomes a security problem.
- Regular backups – It is vital to have a regular data backup and recovery process in place ensuring that all data is backed up and stored somewhere off-site making retrieval of lost data easier.
- End-to-end encryption – When sending data over the internet, by encrypting it only the recipient can access it as they will have the encryption key. This means it can’t be infiltrated on the way by unauthorised third parties.
Examples of data loss caused by human error
Regardless of the size of the organisation, everyone is potentially at risk from data loss caused by human error. For example:
- NHS (2015) – A Soho clinic sent out a newsletter to more than 780 subscribers. However, they put the email addresses into the ‘To’ field instead of the ‘BCC’ field meaning all 780 emails were available for view to anyone with the email.
- Sony Pictures Entertainment – More than 100 data terabytes were lost after the company’s top executives received an email supposedly from Apple with a link that went to a phishing website. This enabled hackers to gain access to their Apple account details and also staff LinkedIn profiles.
- The US Marine Corps Forces Reserve (2018) – They accidentally sent the personal details of thousands of marines, sailors and civilians in an unencrypted email, to the wrong email address.
- eBay (2014) – They lost details of more than 145 million clients including names, addresses, email addresses and their passwords. This was done when hackers stole details on just 100 employees.
- Veeam (2018) – A backup and data recovery business noticed a database that held more than 200 gigabytes of customer records and was not password protected, meaning anyone who had the file could open it.
Data loss prevention should be a high priority within your business, and staff education is a key tool within your arsenal. If you would like to earn more about our IT services, contact the team at CiS about ensuring your data is as secure as it can be.