The recently released 2015 Information Security Breaches Survey has found that “50% of the worst breaches in the year were caused by inadvertent human error.”
As data breaches proliferate, more and more organisations are struggling to handle the threat that their own staff present.
Alan Calder, founder and executive chairman of IT Governance, said, “Organisations that are keen to protect their data assets must not forget to assess and mitigate the risk posed by their own staff.” Calder continued, “Your staff are already inside your information security perimeter, so it would be foolish to let them roam free without effective policies and procedures”.
Accidental or not – they’re a threat
A data breach caused by inadvertent human error could be something as simple as emailing an internal document to a client by accident. But how can you protect against that?
The usual approach to protecting against these types of incidents is to restrict technology to prevent it from happening, but this can sometimes be overkill. For example, the Bank of England disabled auto-complete in Outlook after an email was sent to the wrong person – this means that employees have to type out full email addresses whenever they want to send an email.
This is a bad move. Not only does it slow down an employee, but if you have a classified document that only the CEO is supposed to see, then issues may occur if your CEO John Huthwell shares a similar email address with marketing intern John Hithwell – see where I’m going with this?
There is technology out there that can help prevent mistakes, but it’s more important and beneficial to your organisation that you make security an enabler and not a burden.
I’ve often supported Kai Roer on the importance of creating a security culture inside the organisation. Providing staff with the knowledge they need to keep your organisation secure and providing it in a way that works for them.
To learn about how to create a security culture in your organisation, I strongly advise that you purchase Kai Roer’s book, Build a Security Culture.