Since March 2020 we have all been closely watching the news. We’ve roller-coasted in and out of lockdowns, analysed decision making and pinned our hopes on improvement. All the while cyber-crime has carried on, if not revelled in the improved landscape of opportunity that the pandemic has presented.
We are often directed towards alarming statistics that outline the increased threat and impact of data breaches from poorly protected infrastructures and insecure home working practices. Take a quick peek at Upguards Biggest Data Breaches blog to see some very recent headlines with some all too familiar brands. We should only expect this list to grow.
Data leak prevention is about more than cyber
As the cyber resilience and data protection moguls try to keep up with the ever-advancing digital landscape it’s important not to lose sight of some of our more basic threats and how to mitigate them. For instance, how much do you know about the threat of internal data breaches?
What is the most common cause of data loss? The human factor.
Did you know, that of the near 2500 data breach incidents reported to the ICO between January and March 2021, over 70% of them are attributed to non-cyber related activity and all of them originate from internal errors?
It is important not to undermine the damage that cyber-related incidents can cause, but it is essential to highlight the prevalence of data leakage incidents caused by lapses of concentration, poor data processes or irresponsible behaviour – those apportioned to human error.
With such a high percentage of these incidents down to our own lapses and a growing focus from our insurers to forensically investigate incidents, it is never more important to understand exactly what is taking place with our and our client’s data, within our digital workplace.
Minor error, major impact
ICO collates and publicises reported incidents on a quarterly basis. Many might be alarmed to learn that over 38% of all non-cyber related data leak incidents are due to data being emailed, posted or faxed to the wrong person.
In comparison to a hacker installing malware and holding your business to ransom, it might not sound like a big deal. But how would you feel if your mortgage paperwork, with all your income information, was emailed to someone else in error? What action would you want to take if you knew an unauthorised hospital worker was accessing your medical records? And what would be the impact of discovering that your legal representation had ‘misplaced’ your file?
Data leaks occur in all manner of ways and are often overlooked as minor incidents, with only the most severe hitting the headlines:
Morrisons loses data leak challenge
Scottish Borders Council apologises for data breach
NHS data breach involving 284 patients uncovered
This means it is likely it happens much more than we know and so it is possible that the ICO is only seeing a fraction of the picture. As blended working practices become more prevalent the chances of all these instances being identified and reported properly becomes even less likely. Unless you know that you are seeing and hearing about every minor and major misstep inside your business it is likely that you too are unaware of the real data breach threat.
Ticking the GDPR box is a great start but as a stand-alone activity will not change the impact of data leakage and/or breach. Seeking and achieving ISO accreditations and quality standards also helps to gain visibility of permissions, processes and safety of data too, but again this could be considered a superficial layer of risk mitigation if you can’t evidence and demonstrate a fully embedded data protection ethos, when it counts.
My personal data is different to the data the company holds
To gain a clearer picture of our internal attitude towards data we can start by asking ourselves, ‘Have I ever emailed the wrong client a piece of information that wasn’t for them – and then not told anyone?’, or ‘have I ever left confidential papers laying around on my desk?’, or ‘have I ever left my laptop or mobile unlocked and walked away from it?’
Many of us would have to hold our hands up to at least one of these. If that is the case, then we should reflect, ‘how would I feel if someone was doing that with information about me?’ and ‘what advice would I give them to keep my information secure?’
Perhaps we should start by recognising the link between human behaviours and most recorded internal data breaches. We too should accept that it is likely impossible to prevent data breaches in their entirety. However, an approach that adopts both the technology and the people can be taken to help limit the risk.
Joseph Chukwube, the Founder of Digitage, provides valuable insights into how to bring people and technology together, reframing the thought that ‘people are weak points’, ‘to the perspective that people are strong assets’.
Fixing the “Human Error” Problem
Typically, when we talk about assets we quickly move to the value and protection of those assets. Using this most basic of principles, how do we protect our people against a data breach?
How can you protect against data loss?
A cursory glance across our teams and processes is never going to be enough when looking to understand the risk, impact and required mitigations of a human-led problem. What’s required is a much deeper dive into the behaviours, attitudes and standards that set the company tone and if they are wrong then perhaps the company should reverse the cycle by resetting the ethos and then match the behaviours to the desired cultural state.
Why is this so important?
Culture and controls largely feed the principles and standards that people work to. What people need to understand is that they play a vital part of the cyber and information security of any organisation. Data processing and protection falls firmly into that bracket. A security-first culture is desirable, as is the need to set controls. Joseph’s view is that ‘any user, program or process should have only the bare minimum of privileges necessary to perform its function. Granting a user more access than they require for any legitimate activity carries the risk of expanding the potential breach surface.’
Surely everyone knows!
We must not assume that every user has the appropriate level of knowledge or training to determine what is right and wrong in every scenario. Thus, training and education should be compulsory. How many of the team know what the consequences of a data leak are? If the answer is ‘not everyone’, then it is time to educate.
Communicate quickly
As part of that training, the need to communicate quickly should be understood by all. A practised breach communication and process plan can minimise the ‘blast radius’.
Communicate professionally
As we career into a world where digital transformation is rife, and automation is king it is easy to overlook the ‘what if’ when it comes to humans making a mistake. Easy communication in this regard is imperative. People who feel they can’t be open and honest about their mistakes won’t be and thus, the problem continues. And, when it keeps going wrong and remains unreported, the stats are skewed. The problem gets buried deeper and deeper, only being split open-wide when a major incident takes place.
Bamboo’s Digital Assurance team have already worked with many companies on their data leak prevention. We can assist by enhancing your digital maturity with our security by design approach to ICT services, facilitating accreditations and running training needs analysis and programs. Call the team on 01242 227 227 for more information.