Halloween just passed, Mariah Carey is defrosting as we speak, and we have less than 2 more months to go until the end of the year, but sadly enough our mistakes already account for 82% of data breaches the past 10 months.
A data breach occurs when there’s a security incident resulting in a breach of confidentiality, availability, or integrity. In most cases, data breaches are, unfortunately, caused due to a core part of our existence: human mistakes.
In the world of security, we call a mistake like this “the human error”, which refers to an unintentional action, or a lack thereof.
Categories of human error
There are two categories of human error. Both categories are based around a person’s knowledge level and can thus be prevented.
Skill-based errors.
The first category is the skill-based error, also known as slips and lapses, which happens when the employee makes a mistake working on a familiar assignment. The employee knows how the process is generally completed but fails due to neglect, or misjudgement.
Another possibility is a memory lapse because the employee is tired, distracted, or forgets a step. In this sense, a well-rested and good-taken-care-of employee is less likely to cause a data breach.
Delving deeper in the skill-based error, employees that fall into a phishing trap make skill-based errors as they might be aware of phishing mails’ existence. However, sometimes the phishing mail can be so convincing that even the best trained employee can make a wrong judgement.
Decision-based error.
The second category is the decision-based error. This type of error occurs if the employee makes a faulty decision due to, either a lack of knowledge, or a lack of relevant and sufficient information.
The lack of reaction can also be a faulty decision. A classic example is the employee that isn’t aware that all files with data on them should be shredded. They might just throw the documents out in a container which can then lead to a data breach. Sufficient data protection training and awareness are key to prevent data leaks from happening.
Examples of human errors.
Human errors come in all shapes and sizes. We’ve listed the four most common ones. Chances are you’ve encountered them in your own organisation.
1. Efficiency and knowledge
We’ve all had it happen before… Pushing “send” too quickly on an email. It happens very often that information is sent to the wrong recipient through a small distraction or through wanting to get a job done quickly. Consequences can be dire if said mail then contained personal or sensitive data.
2. Passwords
It’s no surprise that passwords are man’s worst enemy. We all hate having to come up with new (and let’s be honest, complicated) passwords. As we’re so widely connected online, it’s become nearly impossible for our human brain to remember all these passwords.
According to a study from the NCSC, some services still allow people to use passwords like 1233456. You could just as well hand a hacker the keys to your organisation. In addition, 45% of people reuse passwords from their e-mail account for other services as well.
Reusing the same, or opting for an easy-to-guess password is one thing; but writing passwords down on a post-it or even typing them down and saving them on your OneDrive are just as bad. Consider investing in a good Password manager for your employees to prevent data leaks through hacked passwords.
3. Patching
Patching is the process of repairing a vulnerability in an app/software after the initial release. It’s imperative that users install security updates the second the update is available, as cybercriminals are constantly on the lookout for exploiting software vulnerabilities.
4. Physical security errors
Protecting yourself against cyberattacks is important, but it’s also important to be aware of the physical risks that can happen such as confidential information that is viewed, or even worse, stolen by an unauthorised person. Leaving the door open is a big no-no.
How to prevent employees from causing a data breach.
Of course, there are ways to prevent these risks from happening by taking appropriate measures. Below we present some of the easiest ways to implement measures; it all starts with small improvements that can lead to big results.
Training & Awareness
First and foremost, it’s important to address the lack of knowledge, and thus reducing the decision-based error. A very easy way to do this, is by giving the employees appropriate training so that they’re aware of their actions and have insight in the consequences.
Culture Reset
Secondly, a culture-reset might be necessary when it comes to information security. If awareness is low and carelessness is high, consider implementing best practices and ensure a blame-free environment where people can take responsibility and be accountable for their mistakes, without being chastised. Involving employees in the situation and the restoration of the problem will likely diminish the chance of reoccurrence because they will have a clearer view of what went wrong.
Password Management.
Lastly, the opportunities for data breaches need to be reduced. The two most simple and common ways to do this are password management, and privilege control.
Privilege control focuses on confidentiality by ensuring no unauthorised people can access files they don’t need to perform their roles.
Password management on the other hand, entails that you use a password manager application that stores all your passwords.
The upside of this is that employees don’t have to remember all the passwords anymore and don’t have to rack their brains to come up with a new one each time. All they need to do is memorise one password that opens the gate to a world full of other passwords.
We wouldn’t want Santa Claus to give our presents to someone else because of an elven error, would we? Let’s do our best to keep the 82% at bay till the end of the year so we can start the new year wiser with these tips!