People make a mistake every 200-20,000 actions. So when humans play a role in a system, it is very likely they make mistakes. Like writing ‘2017’ for instance, when it should be ‘2018’, forgetting their keys, calling somebody by the wrong name. These things happen, after all, you cannot make an omelette without breaking eggs.
Most people spend a large part of their time at work. Since 93% of the Dutch people use internet and email at work, it will be no surprise that many mistakes occur in this area. We will discuss the top three errors that cause data breaches.
Error 1: wrong recipient / wrong content (47% of all data breaches)
All-time high: sending or delivering personal data to the wrong recipient. We have all done it: sending an email to the wrong person. You want to send something to Rick and you start typing “Ric”. Your mail application completes the name, and you press “send”. Then you suddenly see, to your horror, that the message was sent to Richard Jones, instead of Rick Johnson! Or you accidentally attach the wrong file to your message, and send it. It happened within a few seconds, but if the message contains personal data, this is really a data breach. The impact of this can be enormous, causing reputational damage to your organisation, or resulting in an annoying fine. And the people whose data you sent, may become the victims of identity theft.
Error 2: lost data carrier (23% of all data breaches)
Another type of error that occurs quite often: a data breach caused by the loss of theft of a device, data carrier and/or paper. A ‘data carrier’ is probably a word you do not use very often, but think of your laptop that is stolen from your car, for instance, or a DVD or USB flash drive that got lost. Lost (or opened and returned) letters or parcels are most common errors in this category. This is the cause of 9% of all data breaches. This type of error is easy to avoid. Stop using data carriers, and send large files digitally. However, make sure the data reaches the right recipient.
Error 3: hacking, phishing and/or malware (6% of all data breaches)
This type of error occurs a lot less often than you would think, even though it is a broad category. Hacking means that an unauthorised party deliberately intercepts information. Phishing implies that a user clicks on a link and incurs malware, for instance. Contamination often occurs through infected files, such as mail attachments or via online advertisements that abuse a leak in outdated software. Employees causing these types of data breaches are often not well-informed about the dangers. However, the impact of infected network drives or cloud storage is significant. Education and awareness will help prevent this type of data breaches. In case of hacking of mailboxes, we advise to opt for a solution that ensures that access can be remotely revoked if necessary. Interception of messages can be prevented by means of encryption and TLS.
When you have read the above, you understand that preventing data breaches takes more than good encryption. If you do not take the human factor into account, you are just wasting of time and effort. Particularly since humans play such an important role in the start of data breaches, it is essential that they are aware of the presence of sensitive data and the risks involved. But how do you ensure that this subject becomes a reality for your colleagues? How to create a permanent focus on privacy in your organisation? Read about it in our e-book Create awareness on privacy and the GDPR.