Data breaches - hackers have nothing on your own employees

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cbronline.com/news/data-breaches---hackers-have-nothing-on-your-own-employees-4660652

Cyber attacks like the recent Ashley Madison incident make great headlines
but as many within the security industry will know, it's not only external
threats that we need to worry about. One of the biggest threats out there
is human error which means you need to protect your data from your
employees just as much as you do from hackers.

The recent Big Brother Watch report and the Thomson breach illustrate that
human error is going nowhere so it's time for organisations to understand
why this continues and how to protect against it - because the new EU data
protection laws will wait for no one.

Human error is nothing new
Unfortunately, the issue of human error within data breaches won't be a
revelation to anyone reading this. There is broad agreement within the
industry that it is the cause of most breaches. The IT Policy Compliance
Group says 75% of ALL data losses is human error, the Aberdeen Group says
64% and most recently, CompTIA said 52% of the root cause of security
breaches is human error.

Big Brother has been watching
The recent Big Brother Watch report claimed that local authorities had
4,236 data breaches in the last 3 years - that's almost 4 data breaches
every day. And to add to the bad news, there were many repeat offenders -
10 of the local authorities had 100 or more data breaches during that time,
with Brighton and Hove reaching a whopping 190 breaches.

The vast majority of the causes were human error with lost mobile devices
and yet again, employees sending the wrong data to the wrong people;
specifics included:
- 197 mobile devices including phones, computers, tablets and USBs lost or
stolen,
- more than 5,000 letters sent to the wrong address or included content
meant for another recipient,
- 628 instances of incorrect or inappropriate information being shared on
emails, letters and faxes.

The case of Thomson
Of course, data breaches aren't limited to public bodies. In the case of
Thomson, a private holiday company, an email was sent in error that
contained the home addresses, telephone numbers and flight dates of 458
people - holiday goers that now fear the company has opened them up to
burglaries whilst they're away. The cause? A simple case of an employee
making a mistake; human error strikes again.

Why?
So the question arises as to why this keeps happening and how should
organisations deal with it?
Why human error happens is simple - people are people and they make
mistakes. Why it keeps happening is more complex but usually because
people, and organisations, haven't learned from their mistakes and haven't
put processes or policies and procedures in place to stop it happening
again.

EU data protection regulation
With the new EU data regulation laws on the way, all organisations will
need to have their data ducks in a row. With fines to the tune of up to €1
million or 2% of a company's annual worldwide turnover for a data breach,
coupled with all the bad reputation that comes with a breach, organisations
will soon have nowhere to hide.

Protecting your organisation against human error
The key thing to remember when looking to secure your company against the
internal threat of a data breach is that human error isn't going to
miraculously disappear. No matter how much you do to protect your
organisation against a data breach, mistakes will happen and breaches will
occur so organisations need to consider what will protect them both before
and after the fact.

Here are what I think are the top three things to focus on:

Culture - how employees deal with data is often learnt on the job so if
senior management are serious about how the company handles data to protect
itself against a breach, that culture should drop down to everyone. It's
the softer side of things but the right attitude towards data helps to
limit the likelihood of breaches.

Rules - all organisations need to put processes in place so that employees
know how to deal with data. As part of the new EU law, organisations will
be expected to give notification of a data breach within 24 hours - so
EVERY employee needs to know what the policy is to report a breach
internally, and the ramifications of not reporting a breach.

Technology - for remote workers with USBs, laptops, and mobile phones on
the move, companies need more than encryption which is difficult to prove
after the fact. Organisations need to consider geo-location tracking,
technology that provides a verifiable audit trail, and the ability to
destroy data remotely if it's lost irrevocably.

Remembering that people will still sometimes make mistakes, you're looking
for technology that will both help prevent a breach in the first instance
but also help protect you in the unfortunate instance of a breach.

Human error isn't going anywhere and that's the starting point from which
organisations should be coming from when trying to secure data.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!