Cybercrime, which encompasses online attacks and data hacks, is fast on the increase and massively impacting businesses everywhere. The Department for Digital Culture, Media and Sport recently released its Cyber Security Breaches Survey. Findings revealed that 32 per cent of businesses have identified cyber security breaches in the past 12 months, costing them an average of £4,180 in lost assets. In addition, more than a quarter of businesses (27 per cent) took up staff time to deal with them, while 19 per cent of staff were forced to stop working altogether following a data breach.
However, despite the risks posed by cybercriminals, figures released under the Freedom of Information (FOI) Act revealed that human error is a staggering seven times more likely to contribute to data protection breaches than much-maligned hackers. Mistakes of this kind are likely to cost businesses dearly in terms of lost profit margins and decreased productivity.
According to the FOI data, 2,124 incidents reported by organisations in 2017/18 could be pinned on mistakes or incompetence. However, only 292 were classed as having a cyber element. That said, there are a variety of common, everyday internal risks when it comes to data privacy infringements which are entirely preventable. It is vital that businesses are aware of these situations so that they can thoroughly implement data protection laws and frameworks to protect their operations, reputation and bottom line.
To help organisations guard themselves against human errors, hosted desktop provider Cloud Geeni has explained the top mistakes being made and how to deflect them.
Today, more and more employers promote flexible working and, subsequently, allow their staff to work remotely. While this has many positive benefits, such as improved work-life balance and productivity, the simple fact is that removing personal and sensitive data from the office does generate increased data security risks. Merely leaving a laptop open when working on a train could result in a severe data breach for businesses. In fact, according to software giant iPass, a remote/mobile workforce is the biggest threat to a company’s data security.
Gary Jones for Cloud Geeni says: “To help prevent data loss or theft, businesses must implement robust policies and procedures. They include Two Factor Authentication (2FA), for secure cloud access, adequate password controls, installing antivirus software and the ability to quickly remove sensitive data from devices remotely.”
According to IT security firm Mimecast’s State of Email Security 2019 Report, 94 per cent of organisations have experienced either phishing or spear phishing attacks in the past 12 months. This is why it is vital that businesses and their employees recognise fraudulent attempts to obtain sensitive information, such as usernames and passwords.
Gary Jones explains: “Criminals are getting more sophisticated and sometimes it is often almost impossible to tell a fake email from a real one. As such, businesses should look at how else they can improve resilience against phishing. For example, by implementing trusted anti-spoofing controls such as DMARC, SPF and DKIM.”
Handling personal data
Without having adequate security measures in place, it is easy to see how printed information left on a desk could be viewed or stolen. But even unattended computers are a threat because if someone sits at a desk other than their own, they could easily get access to data which they are not authorised to see. Gary Jones says: “To protect your employees from this threat, implement a ‘clear desk and screen’ policy and ensure that the entire workforce abides by it.”
If personal and sensitive data is not correctly disposed of, it runs the risk of falling into the wrong hands. As such, your organisation should correctly destroy and get rid of all confidential waste. This could be via a corporate shredding policy or through a media destruction service.
Unauthorised systems, apps or devices
Systems, apps and devices which are not effectively managed are vulnerable to attack. To that end, it is vital to establish which devices and applications employees are permitted to use. It is also essential to prevent employees from installing unauthorised software on to their work devices to avoid the risk of malware and ransomware virus attacks.
Gary Jones adds: “Where people are using personal devices to access confidential information, businesses should create a ‘bring your own device’ policy. This will confirm exactly which devices and applications are allowed to access a given network, where and how they can be accessed and the consequences of breaching the policy.”
According to the Information Commissioner’s Office, most security breaches happen because of distractions or mistakes. For example, it is all too easy to send an email to multiple customers without using the blind carbon copy (bcc) functionality. But, if an employee allows the recipients of an email to see one another’s email addresses, businesses could face a data breach investigation.
“Mistakenly attaching the wrong information to an email and misspelling an email address and sending it to the wrong person are also common data privacy errors,” says Gary Jones. “In response, there must be strict policies and procedures in place to ensure the safe processing of information.”
Online data is not the only worry for businesses. Sticking the wrong address label on an envelope and posting it to the wrong person could carry equally serious consequences. So, when it comes to data protection, it pays to consider all the different ways in which data is used and shared.
In many cases, data protection is not taken seriously and human errors occur because people do not understand their own personal data protection responsibilities. As such, organisations must have an acceptable use policy (AUP) in place which spells out what is and is not acceptable when it comes to using digital technology.
“In addition to creating an AUP, businesses should ensure that all employees receive regular data protection training to make certain that they understand the potential consequences of breaching data protection laws,” adds Gary Jones. “They should understand the common threats and be fully aware of the online safety rules and their obligations.”
When it comes to data breaches, the best line of offence is a strong defence. Being aware of potential human errors in the workplace and putting strategies in place to protect against them means that businesses can drastically reduce the chances of a detrimental data breach.