Most data breaches have nothing to do with hackers coding in the sinister darkness somewhere, as Hollywood likes to portray. In fact, the latest Australian notifiable data breaches report attributes 68 per cent of data breach disclosures come down to “human error” that “generally result from a failure of process or procedure.”
And Government is again one of the ‘top five’ sectors for breaches, just to highlight how significant this risk is to Australia as a whole.
The other four sectors in the top five are Health Services, Finance, Insurance, and Retail. These sectors are all potentially lucrative for criminals, and they’ve always rated highly on the percentage of overall attacks.
The question, however, needs to be asked: Why is human error still a factor when all of these sectors are keenly aware of the overall need for cyber security? We’ve all seen the data highlighting the risk of human error, so why does it continue to be such a problem?
Or, in other words: where is the missing pieces in the security strategy to account for human error, and how can we address the problem?
The Inevitability Of Human Error
One possible answer to these questions is that human error is often seen as inevitable, rather than as a preventable and manageable risk. This may explain why the sectors that are in the “most breached” lists also tend to have the largest numbers of employees per organisation – when you’ve got 10,000 staff, the simple law of percentages is that it’s more likely that one of them does make a human error compared to a small business with ten employees.
Because those smaller businesses and less tech-savvy sectors are often operating at incredible risk. Events over the last few years have resulted in many sectors moving from largely paper-based processes to digital, and onboarding has also required education around security best practices.
And yet the breaches are still disproportionately occurring to the most tech-savvy sectors. And with that highly negative mindset, cyber security efforts aren’t directed and prevention or risk management, but rather response, and damage minimisation.
That, in turn, then creates a culture of negativity and defeatism around IT, and ultimately ends up stymieing efforts to leverage IT for innovation and to deliver better business outcomes.
The reality is that human error can be mitigated and does not need to be seen as an inevitability. Many organisations simply may not have adequate policies, procedures, and training in place to minimise the likelihood and impact of human error. For example, some of the common types of human error breaches reported by the OAIC include sending personal information to the wrong person, disclosing personal information without authorisation, and losing paperwork or a data storage device. These incidents could have been avoided or mitigated by implementing simple measures such as email filtering, encryption, access control, and secure disposal.
Another possible reason is that human error is often influenced by external factors, such as stress, fatigue, distraction, and pressure. These factors can affect the cognitive abilities and judgement of staff, making them more prone to mistakes and oversights. For example, some of the human error breaches reported by the OAIC may have been caused by staff working under tight deadlines, dealing with high workloads, or coping with the challenges of remote work. These factors could have been addressed by providing staff with adequate support, feedback, and resources, as well as promoting a positive and healthy work culture.
There is perhaps not much that the IT team can do to address the second issue. Having a workplace environment that doesn’t introduce risk through stress and pressure needs to be part of a more holistic understanding of the way that people interact with and use technology in the workplace.
However, a third possible reason is that human error is often compounded by poor detection and response capabilities. Many organisations may not have effective systems for identifying, assessing, reporting, and resolving data breaches, leading to delays and gaps in the notification and remediation process.
For example, some of the data breaches reported by the OAIC involved secondary notifications, meaning that the affected organisations were not the original source of the breach, but rather the recipients of data from a third-party provider that had been breached. These incidents could have been reduced or prevented by ensuring that the third-party providers had adequate security measures and contractual obligations, as well as by monitoring and auditing their performance and compliance.
There are some other principles and policy controls that can help reduce the impact of human error, too. One is continual training and a cyber security education program. Much as how many organisations run mandatory first aid or fire drills, so too should cyber security training be a mandatory and frequently updated policy. On the technical side, a role-based access control and data loss prevention system provides a foundation that can help limit and track unexpected disclosures. Meanwhile, limiting access using zero-trust security and a principle of least privilege can help provide additional protection against human error for the most critical pieces of data.
Finally, one additional cause that often gets attributed to “human error” is when a security environment is so restrictive that it compromises the user experience. If employees are frustrated with the restrictions placed on how they use IT, they will often look for ways to circumvent the systems. This shadow IT becomes a significant risk for data leak and loss, and it can be very difficult to discover and monitor the full extent of it within an organisation.
It can be difficult for an organisation to handle the kinds of audits and monitoring required to fully mitigate against the risk of human error internally, as the process benefits from having experts looking at it from a step backwards. However, with the right partners and a strategic, positive approach to cyber security, this single greatest risk of breaches can be addressed. It’s an exercise worth undertaking, because the upshot is that addressing the risk of human error means vastly lowering the overall company risk profile.