The Biggest Cause of Data Breaches is People
In June of this year, the United Kingdom’s Brighton and Sussex University Hospitals’ NHS Trust failed to ensure that hard drives containing highly sensitive patient information were erased completely before they were handed over to a contractor. The hard drives ended up being sold on eBay, earning the Trust a £325,000 fine from the UK’s Information Commissioner’s Office (ICO); the largest fine of its type ever issued.
Like so many other companies that are issued with these hefty ICO fines, the Brighton and Sussex University Hospitals’ breach was not caused by a faulty database or internal network problems but, simply, human error.
Increasing Fines Leave No Room for Mistake
This is a prime example of just how much of an impact staff mistakes can make when it comes to data breaches. Recent research from the Ponemon Institute showed that organisations cite “human factors” as the cause of 78% of all data breaches. In many ways, this is an inconvenient truth, because it’s often easier to blame errors on technology than your own employees.
In addition to this, data breach fines don’t seem to be slowing down. In the U.S., nearly every state has a data breach notification law, with notification requirements and fines for data breaches of varying severity. The ICO in the UK has become much tougher on organisations in breach of the Data Protection Act. In the past year, the number of warnings handed out for security lapses has increased by almost half (48 per cent) to 68, and fines reached nearly £2 million over the year.
Helping Humans Avoid Data Breaches: Three Tips
Faced with large fines, and with no margin for mistakes, it’s important that companies make every effort to iron out the likelihood of human error being a factor in data breaches. Some key solutions include…
1. Device management technology
Technology guards against human error. Management systems can be used to monitor, set and enforce policies, right down to individual users if required. Management software also can track and monitor what devices are allowed and what data is downloaded, and can be set up to block the use of unencrypted USBs.
If an encrypted device is lost or stolen, the data remains secure and a potentially damaging breach is avoided. An encrypted memory stick can be used with the same ease as an unencrypted device, and provides peace of mind for staff and security for data.
3. Staff education
Perhaps most important of all: Staff need to understand their responsibilities around data security and how to use technology effectively in order to do their jobs without risking a data breach. Proper training has to be a major part of this, as does supplying staff with the right equipment to do their jobs. It is no use mandating the use of encrypted memory sticks if these are then not made available to staff.
Comments? Email firstname.lastname@example.org