Human error is the primary cause of most data leaks. The Dutch lend a helping hand pointing out the causes
Data privacy has never been such a hot topic. Media outlets around the world are covering extensively the issue of cyber attacks and security threats that leave big companies counting the costs of data leaks. However, it appears that the cause of data leaks is only for a very small part attributable to external threats. The leading Dutch data leak reporting system reveals that in reality, unintentional human error before and after sharing sensitive information is the most significant concern in regards to sensitive data breaches.
A recent report by DLA-Piper shows an enormous variation in the number of data leaks reported in European countries since the inception of the General Data Protection Regulation (GDPR). Interestingly the report showed that the Dutch reported most data leaks by far, with about 5 times more per inhabitant than for example, Germany, the UK, and 25 times more than in Belgium.
In the Netherlands 20.881 data leaks were reported to the Dutch Data Protection Authority in 2018. An astonishing 63% of reported compromised private information was due to data being sent to the wrong recipient. These incidents come down to a variety of occurrences such as emails being sent to the wrong individuals, or specific information being disclosed by mistake in response to a request. Other reasons included losing a letter or receiving it back opened (9%), lost or theft of a storage device such as a USB-stick (7%), and hacking, malware and phishing (together 4%).
The numbers acquired by the Dutch report raise some questions such as:
Why is the number of data leaks reported in the Netherlands so much higher than in other European countries?
Why is the human error issue when it comes to data protection not a central topic of conversation at a moment in time when privacy is centerstage?
What are the solutions to preventing human error and why are they not widely implemented?
To answer these questions, it is necessary to take a more in-depth look into Dutch culture, the media, and how organisations around the world deal with data protection.
The Dutch reporting culture as a world benchmark for digital data protection
On January 1st, 2016 the Netherlands upgraded the Dutch Data Protection Act with mandatory reporting of data leaks with the risk of a fine for those who would fail to comply with this requirement. It was then one of the first fully comprehensive set of rules regarding data leak prevention and reporting in the world. The highly organized Dutch public authorities were in the process of digitization of its data and operations. Such protection act was seen as necessary to protect the Dutch citizens from possible private data mishandling, as well as, to promote trust in the country’s digitization efforts. It was used as one of the references, notably together with the deeply rooted German data protection laws for the creation of the GDPR which was enforced in the entire EU on May 25th, 2018. Among the many concepts used as a reference, the timely reporting of incidents was made into one of the GDPR’s centerpieces.
Coming from the Dutch this fact isn’t surprising, data reports regarding events that happen in the Netherlands can be found for just about anything. Organization and record keeping is part of the Dutch DNA, something as simple as taking a look at a regular Dutch person's agenda would prove this point. The Dutch also have one of the best infrastructures of fast and stable internet connections available, and the highest use of electronic file sharing; such as patient records in hospitals and GPs in the world.
The alarming number of 20.881 events of data leakage in the Netherlands in 2018 does not translate into a higher number of attacks compared to other countries. Instead, it reflects the number of reported events. When comparing similar statistics measurements from other European countries since the implementation of the GDPR directive, it becomes evident that the Netherlands is far ahead in regards to data leakage reporting as shown in the chart below.
Why may data leaks due to human error come as a surprise?
2018 has been a historical year concerning the amount of reported high profile data leaks. Ironically, it was also the year when the GDPR was put in place as previously mentioned. Companies that operate in the European Union are now held accountable for data protection and must disclose data breaches promptly or face massive fines. Data privacy was one the most discussed topics in 2018, throughout the year we were bombarded with news headlines such as:
CAMBRIDGE ANALYTICA'S FACEBOOK DATA WAS ACCESSED IN RUSSIA
FITNESS APP POLAR EXPOSES THE PERSONAL INFORMATION OF U.S. MILITARY
EXACTIS EXPOSES NEARLY EVERYTHING ABOUT 230 MILLION AMERICANS
AADHAAR LOGIN BREACH REVEALS DATA ABOUT EVERYONE IN INDIA
MARRIOTT HACK AFFECTS HALF A BILLION PEOPLE WHO STAYED AT ITS HOTELS
GOOGLE PLUS EXPOSED THE DATA OF 52.5 MILLION PEOPLE
There are a plethora of news articles regarding these incidents, their consequences were widely reported in detail. The media focuses on covering high profile data breaches involving large data sets. Individual incidents are less attractive, which leaves audiences oblivious in regards to the costs of research & repair, and the potential image damage related to isolated episodes. It results in the public opinion assuming that the sole responsibility for these attacks is related to hackers, lack of proper cybersecurity, or cyber warfare.
The sensationalism of pointing the finger to the bad guys certainly makes a more exciting story for news consumers since humans are fascinated by criminality. Unfortunately, the high likelihood that these incidents could have been caused by human error was underreported or not reported at all. Leaving the general public unaware that danger is much closer than most people think in regards to data protection. The threat is most likely an innocent and well-intended human that commits an unintentional error. Such a realization should prompt businesses and major institutions to take a more proactive approach to sensitive data protection. The lack of awareness regarding the correlation of data leaks and human error answers the question of why preventive solutions are not widely implemented.
Putting the correlation between human error and data leaks into perspective
The vast majority of organizations nowadays are still highly inefficient at keeping sensitive data safe. The healthcare industry is a great example. The British publication The Register that covers IT and Technology news reported that healthcare tops UK data breach charts. Nearly half of all data breaches reported (43 %) happened within the sector, and that human error was the primary cause. Also in the Netherlands, the healthcare sector reported the highest number of data leaks.
The political sector is another excellent example. Considering the sensitive nature of data regarding politics, and the threat that data leaks impose to national security and the personal welfare of politicians, it is natural to assume that such data would be handled in the absolute highest level of protection available. Nevertheless, in late 2018 German politicians were hit by a massive data breach, ITNews reports. The personal data and documents from hundreds of German politicians and public figures including Chancellor Angela Merkel have been published online in what appears to be one of Germany’s most far-reaching data breaches ever recorded. The Interior Minister Horst Seehofer said in a statement that the incident was caused by, “wrongful use of login information for cloud services, email accounts or social networks.”
In the finance industry data leakage due to human error can have disastrous consequences. On March 31st, 2017, a security researcher noticed a cache of unencrypted consumer information from Scottrade Bank, the banking arm of Scottrade Financial Services, on publicly accessible servers. The database contained names, addresses, and social security numbers of Scottrade contacts, as well as usernames and passwords for various employee accounts. A few days later, it became clear that the data was uploaded in error by a third-party vendor, a professional services firm called Genpact. The breach exposed the information of around 20,000 Scottrade customers. This was one of many data breach incidents associated with the bank in the last decade, for that reason the American Financial Industry Regulatory Authority fined Scottrade US$2.6 million.
The legal sector has seen an exponential rise regarding data security incidents, as reported to the UK's Information Commissioner’s Office. It is estimated that in the past two years the number of data leaks has risen up to 128%. Human error accounted for the vast majority of events, led by data being emailed to the wrong recipient.
While the blame game that puts all of the responsibility onto hackers worked for a moment, the general public and legislation authorities are now holding organizations accountable for data breaches especially now with GDPR in action. The new European regulation could fine companies up to 4% of their global revenue for non-compliance.
Emailing and file sharing pose the highest threat to data leaks
Public & private organizations and institutions, more than ever should take data security very seriously to avoid preventable costs and legal repercussions related to data leaks. All around cybersecurity is of most importance for both external and internal threats. However, since sensitive data is most vulnerable internally, organizations should take extra precaution by implementing solutions that prevent data leakage from within. Particular attention should be given to digital communication in all forms, as most of the data leaks reported stem from employees communicating via email, paper or portal. Especially, emails are more than ever the primary form of interaction in many businesses. On average, employees spend about two hours per day working with emails. It's thus not surprising that email data breaches had been the primary cause of sensitive data leakage as reported by the UK’s independent authority ICO (Information Commissioner's Office). According to the chart below, 93.8% of data breaches were caused by non-malicious human interference happening inside organizations. Considering the ICO report, it's easy to deduce that the majority were related to emails sent to wrong addresses, similar to the 63% in the Netherlands.
Email protection platforms are a simple solution for the costly data breach problem
Emails winding up in the wrong hands can have devastating effects on a business. Such an error can have significant ramifications ranging from client information being compromised, to direct financial loss or major reputational damage. With this in mind, businesses must have an enterprise communication security platform implemented to stop their primary risk of data leakage: misaddressed email messages or unintended information disclosed.
An enterprise communication security platform could prevent data leakage before it happens via email or other forms of digital communication, moreover not merely report an error after it's already occurred. Cybersecurity solutions that can automatically classify sensitive data, evaluate employee behavior and intervene to prevent a breach would be the best alternative. For companies that work on a big scale with large amounts of employees, it's also essential to implement firm-wide staff training on email security As human error with respect to information leaks consistently cost economies millions each year, this reality is turning into a strategic imperative for the implementation of safety platforms and software that can keep it to a minimum. ZIVVER is a perfect example of an all-around Dutch data protection platform that focuses on GDPR compliant data sharing. Not only by including email encryption, but especially in helping users select the correct content (‘your attachment A contains social security numbers, is that correct?’), the correct recipient (‘you never shared medical information with John Doe before; are you sure?’) And the right security measures (‘you are about to share sensitive financial information; do you want to add security to your email?’). This helps organizations in addressing 90+% of the causes of data leaks and significantly reducing the negative impacts of human error in digital communication and file sharing, as well as, preventing possible prosecutions related to GDPR noncompliance.
While mistakes help us learn, with regards to data leaks, it is essential to learn from the best ones and eliminate the rest. That is when the Dutch come to the rescue delivering comprehensive reports that can be used as a worldwide reference for digital communication security. If the Netherlands with it's reporting culture, record keeping, innovative mentality, and incredible infrastructure & technology can protect an entire country from the cold waters of the north sea one can only imagine its capabilities in regards to data protection. In this field, the Dutch are way ahead in the game. A game that shows that you need to help and educate your employees in dealing with sensitive data if you want to win it and keep your company safe.
Do you know how GDPR compliant your company is? Download the checklist below to find out!
Some organisations are already GDPR compliant, others still have work to do to meet the legal requirements. To achieve this, a set of technical and organisational measures is required. There are many step-by-step plans on the Internet to help you with these measures. It is even more important yet to raise the awareness among your organisation’s employees. This is very […]