A significant number of employers make the mistake of thinking that only the IT department or security officers are in charge of information security. While there are various security measures to protect the data and computers inside your network from malicious actors, the ignorance of a single employee from any departmental unit of your company can open the door of opportunity for hackers to gain access to your network or other sensitive data.
In 2018 data breaches cost UK organisations an average of £6.4 million. Human error, meanwhile, accounted for anywhere between 60% and 90% of those breaches. This goes to show that failing to address the human component of data protection can negate many of the next-generation defense-in-depth technologies in which organizations are investing handsomely. So what should organizations do? While there is no one-size-fits-all approach, addressing the human component of data protection requires implementation of several technical, administrative, and procedural safeguards, including:
- Data security awareness and training: Many incidents resulting from human error, such as disposing of devices without first wiping the data, can be effectively addressed by training and awareness programs for employees and vendors who handle sensitive information. Training employees on the organization’s information security policies and procedures should be part of the on-boarding process and should be included in periodic training. These programs should be continuously updated to address the constantly evolving threat landscape as well as organizational changes impacting data privacy and security.
- Simulated phishing programs: Implementing a program that simulates phishing attacks on employees and vendors can be effective at training users on how to identify and avoid phishing messages. These programs help organizations measure the existing baseline susceptibility of employees, identify those users that need additional training, and measure the organization’s progress toward reducing user click rates. Regulators are acutely aware that phishing attacks are the leading cause of external data breaches, and organizations having a mature and well-documented anti-phishing program will be better positioned to withstand regulatory scrutiny following a breach.
- Full encryption of devices and portable storage: The frequency of lost or stolen devices containing sensitive information will continue to rise as more users store sensitive organizational data on their laptops, mobile devices, and portable storage devices. Most state breach notification laws provide a “safe harbor” against compulsory notification of breaches where the data is protected by encryption. As such, organizations should seek to implement full encryption of all devices that may contain sensitive data. Indeed, many regulators expect it and now view the lack of encryption as per se unreasonable security.
- Data loss prevention software: Sensitive data can be leaked outside an organization by inadvertent mistake or malicious intent. Data loss prevention software is designed to prevent users from sending sensitive data outside the corporate network without authorization.
- Access rights and privileges: Organizations can substantially reduce their attack surface and the likelihood for human error causing a data security incident by implementing and maintaining policies and procedures based on the least-privilege principle. The least-privilege principle means that users should be given only the minimum access to sensitive data necessary to perform a job function and that access should only be granted for the minimum time necessary. While the least-privilege principle is an age-old security management principle, organizations often fail to remain diligent in monitoring and limiting users’ privileges as employees’ roles and the systems for which they truly need access change over time.