Jon Fielding, Managing Director EMEA, Apricorn outlines the risks posed to data caused by human error, here
The number of reports of data security incidents received by the UK’s Information Commissioner (ICO) surged 75% over the past two years according to Kroll, with some 2,124 attributed to human error. The public sector was no exception, with local government accounting for 328 of those alone.
Data is king; not only is it crucial to most organisations’ planning strategies, but it has also become the number one target for cyber criminals. Whether it be ransomware attacks on the NHS, or cyber-attacks on parliamentary email accounts, public sector data is of huge value to opportunistic employees, as well as hackers and teams funded and trained by nation-states.
The information stored by public sector organisations is often in higher quantities than other organisations, and of higher quality, in terms of the information available – such as personally identifiable information (PII). As a result, businesses, governments, regulators and the general public are clamouring for secure data protection. Indeed, 2018 saw the introduction of the General Data Protection Regulation (GDPR) which had organisations in every sector scrambling to meet the new compliance regulations and uncover any potential vulnerabilities that could lead to sensitive data being lost or exploited.
Many organisations are investing heavily in the latest cyber security hardware, software and consultancy in order to meet compliance demands. While it’s important to have up to date security software and processes as part of your IT infrastructure, organisations often focus too much on the technological aspect of cyber security without acknowledging that one of the biggest threats to sensitive and confidential information comes from the users and the risks posed by human error.
Even with the greatest security systems in place, including the latest cyber security software, hardware tools installed and threat intelligence implemented, human error could still undermine all these defences. In order to comply with legislation and avoid a potential data breach, this must be taken into account. So what steps should organisations take to ensure they are protecting themselves against all possible threats to their data?
Equip your employees with the right tools
Human beings are typically the weakest link when it comes to data security. In a survey carried out by Apricorn, nearly half of the companies surveyed said employees are their biggest security risk, and as many as 44% expected that employees would lose data and expose their organisation to the risk of a data breach.
‘Insiders’ may seem innocuous, but they are a genuine threat to any organisation with valuable information such as health records, PII, and payment card information. Risks can come from employees in the office, on the move, or contractors and third party business associates. Add to that, past employees who may still have access to the network, or even former disgruntled employees who have left a company on bad terms. Ultimately, anyone with access to corporate data poses a threat to its security.
Carelessness, or simply failing to adhere to security policies, is unfortunately common. Risks can also come from individuals who intentionally misuse their access to data, or those working remotely without the tools, or knowledge, to protect the confidentiality and integrity of the sensitive information they have access to.
Despite this, more than half of organisations do not see careless employees as the biggest barrier to secure remote working, in fact, it is the complexity of the technology deployed to keep data safe that most regard as the greatest problem. Remote workers are, according to 54% of organisations, usually willing to comply with security measures put in place to protect data, but lack the necessary skills and technologies to do so. Not only are organisations concerned that this knowledge gap leaves them vulnerable to attack, but it also highlights the area they believe is most likely to cause them to be non-compliant.
It is vital to ensure you have thorough and up to date security software and measures in place, but when the complexity of these measures exceeds the skills of those most in need of them, you unintentionally create another point of vulnerability for yourself, leaving the door wide open to potential data breaches.
Encryption ensures data protection
One answer to this problem is encryption, which is itself recommended by GDPR Article 32. Encrypted devices effectively kill two birds with one stone, aiding compliance with GDPR, and providing a simple method of cyber security, ensuring data is protected wherever it resides.
If data isn’t encrypted, it can easily and quickly be compromised. Knowing who has accessed it and from what location, and on what devices the information resides, is essential. Whilst this can be difficult across a fragmented IT environment, protecting sensitive information and intellectual property – be it from malicious or disgruntled employees stealing data, or those unintentionally breaching data use policies – should be a priority for all organisations.
By equipping employees with simple to use devices featuring strong hardware encryption, for instance, an organisation can track and trace use by whitelisting on the IT infrastructure, blocking access to all non-approved media.
Disabling outdated user accounts when employees exit an organisation, implementing strong password policies, limiting account privileges, updating these regularly and controlling access to corporate systems, are all crucial to keep data secure.
There is no doubt that public sector organisations across the UK have spent more time and effort than most in ensuring they are compliant with the latest data protection legislation, but technology is often updated at a pace that far outstrips the training programmes available for employees. Encrypted hardware is a simple and effective solution to the insidious problem of human error. When deployed alongside strong compliance policies and effective employee training, this will ensure your security is airtight.