Human error is the primary cause of most data leaks. The Dutch lend a helping hand pointing out the causes

Data privacy has never been such a hot topic. Media outlets around the world are covering extensively the issue of cyber attacks and security threats that leave big companies counting the costs of data leaks. However, it appears that the cause of data leaks is only for a very small part attributable to external threats. The leading Dutch data leak reporting system reveals that in reality, unintentional human error before and after sharing sensitive information is the most significant concern in regards to sensitive data breaches.
 

A recent report by DLA-Piper shows an enormous variation in the number of data leaks reported in European countries since the inception of the General Data Protection Regulation (GDPR). Interestingly the report showed that the Dutch reported most data leaks by far, with about 5 times more per inhabitant than for example, Germany, the UK, and 25 times more than in Belgium.

In the Netherlands 20.881 data leaks were reported to the Dutch Data Protection Authority in 2018. An astonishing 63% of reported compromised private information was due to data being sent to the wrong recipient. These incidents come down to a variety of occurrences such as emails being sent to the wrong individuals, or specific information being disclosed by mistake in response to a request. Other reasons included losing a letter or receiving it back opened (9%), lost or theft of a storage device such as a USB-stick (7%), and hacking, malware and phishing (together 4%).

The numbers acquired by the Dutch report raise some questions such as:

  1. Why is the number of data leaks reported in the Netherlands so much higher than in other European countries?
  2. Why is the human error issue when it comes to data protection not a central topic of conversation at a moment in time when privacy is centerstage?
  3. What are the solutions to preventing human error and why are they not widely implemented?

To answer these questions, it is necessary to take a more in-depth look into Dutch culture, the media, and how organizations around the world deal with data protection.

The Dutch reporting culture as a world benchmark for digital data protection

On January 1st, 2016 the Netherlands upgraded the Dutch Data Protection Act with mandatory reporting of data leaks with the risk of a fine for those who would fail to comply with this requirement. It was then one of the first fully comprehensive set of rules regarding data leak prevention and reporting in the world. The highly organized Dutch public authorities were in the process of digitization of its data and operations. Such protection act was seen as necessary to protect the Dutch citizens from possible private data mishandling, as well as, to promote trust in the country’s digitization efforts. It was used as one of the references, notably together with the deeply rooted German data protection laws for the creation of the GDPR which was enforced in the entire EU on May 25th, 2018. Among the many concepts used as a reference, the timely reporting of incidents was made into one of the GDPR’s centerpieces.

Coming from the Dutch this fact isn’t surprising, data reports regarding events that happen in the Netherlands can be found for just about anything. Organization and record keeping is part of the Dutch DNA, something as simple as taking a look at a regular Dutch person's agenda would prove this point. The Dutch also have one of the best infrastructures of fast and stable internet connections available, and the highest use of electronic file sharing; such as patient records in hospitals and GPs in the world.

The alarming number of 20.881 events of data leakage in the Netherlands in 2018 does not translate into a higher number of attacks compared to other countries. Instead, it reflects the number of reported events. When comparing similar statistics measurements from other European countries since the implementation of the GDPR directive, it becomes evident that the Netherlands is far ahead in regards to data leakage reporting as shown in the chart below.

Graphic_Dataleaks2 copy 

Why may data leaks due to human error come as a surprise?

2018 has been a historical year concerning the amount of reported high profile data leaks. Ironically, it was also the year when the GDPR was put in place as previously mentioned. Companies that operate in the European Union are now held accountable for data protection and must disclose data breaches promptly or face massive fines. Data privacy was one the most discussed topics in 2018, throughout the year we were bombarded with news headlines such as:

  • CAMBRIDGE ANALYTICA'S FACEBOOK DATA WAS ACCESSED IN RUSSIA
  • FITNESS APP POLAR EXPOSES THE PERSONAL INFORMATION OF U.S. MILITARY
  • EXACTIS EXPOSES NEARLY EVERYTHING ABOUT 230 MILLION AMERICANS
  • AADHAAR LOGIN BREACH REVEALS DATA ABOUT EVERYONE IN INDIA
  • MARRIOTT HACK AFFECTS HALF A BILLION PEOPLE WHO STAYED AT ITS HOTELS
  • GOOGLE PLUS EXPOSED THE DATA OF 52.5 MILLION PEOPLE

There are a plethora of news articles regarding these incidents, their consequences were widely reported in detail. The media focuses on covering high profile data breaches involving large data sets. Individual incidents are less attractive, which leaves audiences oblivious in regards to the costs of research & repair, and the potential image damage related to isolated episodes. It results in the public opinion assuming that the sole responsibility for these attacks is related to hackers, lack of proper cybersecurity, or cyber warfare.

 The sensationalism of pointing the finger to the bad guys certainly makes a more exciting story for news consumers since humans are fascinated by criminality. Unfortunately, the high likelihood that these incidents could have been caused by human error was underreported or not reported at all. Leaving the general public unaware that danger is much closer than most people think in regards to data protection. The threat is most likely an innocent and well-intended human that commits an unintentional error. Such a realization should prompt businesses and major institutions to take a more proactive approach to sensitive data protection. The lack of awareness regarding the correlation of data leaks and human error answers the question of why preventive solutions are not widely implemented.

Putting the correlation between human error and data leaks into perspective

The vast majority of organizations nowadays are still highly inefficient at keeping sensitive data safe. The healthcare industry is a great example. The British publication The Register that covers IT and Technology news reported that healthcare tops UK data breach charts. Nearly half of all data breaches reported (43 %) happened within the sector, and that human error was the primary cause. Also in the Netherlands, the healthcare sector reported the highest number of data leaks.

The political sector is another excellent example. Considering the sensitive nature of data regarding politics, and the threat that data leaks impose to national security and the personal welfare of politicians, it is natural to assume that such data would be handled in the absolute highest level of protection available. Nevertheless, in late 2018 German politicians were hit by a massive data breach, ITNews reports. The personal data and documents from hundreds of German politicians and public figures including Chancellor Angela Merkel have been published online in what appears to be one of Germany’s most far-reaching data breaches ever recorded. The Interior Minister Horst Seehofer said in a statement that the incident was caused by, “wrongful use of login information for cloud services, email accounts or social networks.”

In the finance industry data leakage due to human error can have disastrous consequences. On March 31st, 2017, a security researcher noticed a cache of unencrypted consumer information from Scottrade Bank, the banking arm of Scottrade Financial Services, on publicly accessible servers. The database contained names, addresses, and social security numbers of Scottrade contacts, as well as usernames and passwords for various employee accounts. A few days later, it became clear that the data was uploaded in error by a third-party vendor, a professional services firm called Genpact. The breach exposed the information of around 20,000 Scottrade customers. This was one of many data breach incidents associated with the bank in the last decade, for that reason the American Financial Industry Regulatory Authority fined Scottrade US$2.6 million.

The legal sector has seen an exponential rise regarding data security incidents, as reported to the UK's Information Commissioner’s Office. It is estimated that in the past two years the number of data leaks has risen up to 128%. Human error accounted for the vast majority of events, led by data being emailed to the wrong recipient.

While the blame game that puts all of the responsibility onto hackers worked for a moment, the general public and legislation authorities are now holding organizations accountable for data breaches especially now with GDPR in action. The new European regulation could fine companies up to 4% of their global revenue for non-compliance.

Emailing and file sharing pose the highest threat to data leaks

Public & private organizations and institutions, more than ever should take data security very seriously to avoid preventable costs and legal repercussions related to data leaks.  All around cybersecurity is of most importance for both external and internal threats. However, since sensitive data is most vulnerable internally, organizations should take extra precaution by implementing solutions that prevent data leakage from within. Particular attention should be given to digital communication in all forms, as most of the data leaks reported stem from employees communicating via email, paper or portal. Especially, emails are more than ever the primary form of interaction in many businesses. On average, employees spend about two hours per day working with emails. It's thus not surprising that email data breaches had been the primary cause of sensitive data leakage as reported by the UK’s independent authority ICO (Information Commissioner's Office). According to the chart below, 93.8% of data breaches were caused by non-malicious human interference happening inside organizations. Considering the ICO report, it's easy to deduce that the majority were related to emails sent to wrong addresses, similar to the 63% in the Netherlands.

Graphic_Dataleaks1 copyEmail protection platforms are a simple solution for the costly data breach problem

 
Emails winding up in the wrong hands can have devastating effects on a business. Such an error can have significant ramifications ranging from client information being compromised, to direct financial loss or major reputational damage. With this in mind, businesses must have an enterprise communication security platform implemented to stop their primary risk of data leakage: misaddressed email messages or unintended information disclosed.

An enterprise communication security platform could prevent data leakage before it happens via email or other forms of digital communication, moreover not merely report an error after it's already occurred. Cybersecurity solutions that can automatically classify sensitive data, evaluate employee behavior and intervene to prevent a breach would be the best alternative. For companies that work on a big scale with large amounts of employees, it's also essential to implement firm-wide staff training on email security.

As human error with respect to information leaks consistently cost economies millions each year, this reality is turning into a strategic imperative for the implementation of safety platforms and software that can keep it to a minimum. ZIVVER is a perfect example of an all-around Dutch data protection platform that focuses on GDPR compliant data sharing. Not only by including email encryption, but especially in helping users select the correct content (‘your attachment A contains social security numbers, is that correct?’), the correct recipient (‘you never shared medical information with John Doe before; are you sure?’) And the right security measures (‘you are about to share sensitive financial information; do you want to add security to your email?’). This helps organizations in addressing 90+% of the causes of data leaks and significantly reducing the negative impacts of human error in digital communication and file sharing, as well as, preventing possible prosecutions related to GDPR noncompliance.

Conclusion

 
While mistakes help us learn, with regards to data leaks, it is essential to learn from the best ones and eliminate the rest. That is when the Dutch come to the rescue delivering comprehensive reports that can be used as a worldwide reference for digital communication security.  If the Netherlands with it's reporting culture, record keeping, innovative mentality, and incredible infrastructure & technology can protect an entire country from the cold waters of the north sea one can only imagine its capabilities in regards to data protection. In this field, the Dutch are way ahead in the game. A game that shows that you need to help and educate your employees in dealing with sensitive data if you want to win it and keep your company safe.

Do you know how GDPR compliant your company is? Download the checklist below to find out!

Go to the GDPR Checklist

 

RELATED
Corporate_guest_branding_secure_email_powered_by_ZIVVER_but with_your_organizations_visual_identity_blog_eng-1

Corporate guest branding: Secure email powered by ZIVVER but with your organization's visual identity

Your organization has its own visual identity and naturally wishes to have it reflected in all its products and services. That includes the secure email environment provided by ZIVVER. Therefore, organizations can personalize ZIVVER's guest experience in several ways.  […]

Read more
gdpr_it’s_gonna_be_fines_zivver_en_blog

GDPR: IT’S GONNA BE FINES!

With the inception of the GDPR in May 2018, several companies and their offices were not, and many are still not ready to be compliant with the enhanced European privacy rules and were scared for the potential high penalty payments. This fear was not without grounds. […]

Read more
Introducing-open-conversation-starters-A powerful-new-feature-live on ZIVVERs-platform-blog-eng

Introducing open conversation starters! A powerful new feature from ZIVVER.

One of ZIVVER's most convenient and unique features is the conversation starter. It allows people who don't have an account (guest users) to take the initiative for a conversation with a ZIVVER user, in the same secure email environment. It protects both senders and recipients from possible data leaks caused by guest users. […]

Read more
Sending_or_receiving_credit_card_data_via_email_while staying_PCI_compliant

Sending or receiving credit card data via email while staying PCI compliant

To prevent cardholders’ information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation. […]

Read more
Cloud_based_office_support tools_that_are_U.S._rooted_fail GDPR_complianc_ZIVVER_Eng_blog

Cloud-based office support tools that are U.S. rooted, fail GDPR compliance

It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement […]

Read more