Human Error Accounts for Over 30% of Data Loss

Australia is celebrating Privacy Awareness week (12 to 18 May 2019) under the theme “Don’t be in the dark on privacy”. In this spirit, a recent international study has revealed that, in conjunction with a breakdown within industries most susceptible to losing sensitive information, “simple mistakes” are responsible for more than a third of all data breaches.

A corollary of the awareness campaign is the recent release of the Notifiable Data Breaches Scheme 12-month Insights Report, a full year since mandatory data breach reporting rules for Australian businesses were insitutionalised. Surprisingly, the scheme recorded 964 data breach notifications – a 712% rise on the previous year – when reporting was only voluntary rather than mandatory.  Of those, almost two-thirds (60%) were found to be the result of malicious or criminal attacks. A further 35 % was attributed to human error, with just 5 percent being caused by system faults.

The inevitable question, then, is what is responsible for such data breaches? According to the report, phishing scams were the most common cause of a data breach. Concerningly, the second most common type of breach, accounting for more than one in four (28 %) of the reported cyber incidents, occurred where details had been obtained “by unknown means”. Targeted “brute-force attacks”, hacking, ransomware, and malware accounted for 63 incidents respectively. The popular imagination easily relates to large-scale data breaches of well-known companies that tend to make headlines. However, the report found that 83% of reported breaches affected fewer than 1,000 people.

With over a third of data breaches resulting from human error, the report identified different types of mistake humans make that most commonly result in giving away data.  Among these, erroneous emails where personal information was sent to the wrong recipient, was more common than any other kind of human error. Incidences of information posted to the wrong recipient provide evidence that sending information by post has proven to be no more secure.  Unauthorised disclosure or release and the loss of paperwork or a data storage device are human errors found to contribute to data loss, along with failing to use BCC when sending an email, failure to redact an unauthorised disclosure, insecure disposal of information and verbally giving away information that was not authorised to be divulged.

The most susceptible industry, according to the report, is the health services sector where the highest incidences of inadvertently giving away personal information were reported. The industry accounted for a noticeably higher volume of reported breaches caused by both human error and malicious attack. Finance was the next most susceptible industry, followed by legal, accounting and management services, education and personal services.

Over the past five years, the adoption of new technologies like mobile and cloud have completely transformed many industries for both consumers and businesses. People have come to expect access to services from consumers wherever they happen to be and at whatever time they need. Simultaneously, cyber-attacks demonstrate the vulnerable, expanded attack surface associated with greater cloud adoption.  While organisations are working to secure their applications and other sensitive assets in the cloud, as part of their digital transformation strategies, these attacks demonstrate the need to speedily implement consistent security controls across cloud and on-premises environments to protect user privacy.

A continual process of risk assessment, education, and prevention, is a proper and prudent approach to data security. It is not something to be considered only if and when the worst happens. In which case it is too late!

“After all, most people fail to only really care about cybersecurity until they are a victim of an attack,” he said.  Cyber education in the workforce and awareness for individuals to manage their own privacy needs to be continuously reinforced and customised to the forefront of organisations’ employee base.

Legal opinion urges businesses of all sizes to take every opportunity to review current practices, given the numerous and far-reaching implications that a data breach can have in terms of the real legal, business and compliance risks and consequences of inaction have on a business.  In an age where Facebook, a company built on extracting value from user data, says that the “Future is Private” it raises the question whether privacy should be seen as a matter of strategic importance rather than mere legal compliance.

Thirteen points highlighted in the principles-based Australian privacy regulation framework to foster and grow privacy-minded individuals and businesses include: open and transparent management of personal information; anonymity and pseudonymity; collection of solicited personal information; dealing with unsolicited personal information; notification of the collection of personal information; use or disclosure of personal information; direct marketing; cross-border disclosure of personal information; adoption, use or disclosure of government-related identifiers; quality of personal information; security of personal information; access to personal information and correction of personal information. In light of that country’s focus on privacy this week, it may be beneficial to review and apply some of these principles strategically to your business.