Could your staff cost you millions in data breaches?

Businesses have never been more at risk of data breaches

A recent report by DLA Piper found that European companies suffered 60,000 data breaches in the 8 months following the GDPR laws coming into force, equating to one every 5 minutes. Ransomware attacks are also growing by more than 350% annually, while 70% of businesses felt that their security risk increased significantly as recently as 2017.

The reports certainly seem to be reflected in the media, with Microsoft, Facebook and even home improvement retailer B&Q reporting data breaches in recent months. Both Microsoft and Facebook suffered sophisticated hacks, yet B&Q’s records of store thieves were made public simply because the information was stored on open source search engine technology that had not been set up to require user-ID authentication.

This reflects an often overlooked truth about data breaches; although cyber attacks receive more attention in the press, it is more often human error or simple negligence that results in data breaches.

The Information Commissioner’s Office revealed in their yearly financial report for 2017/18 that 4 of the 5 leading causes of data breaches could be attributed to human error.

  1. Data sent by email to inc rep
  2. Data posted/faxed to inc rec
  3. Loss/theft of paperwork
  4. Failure to redact data

Human beings are inherently flawed, and the mistakes of an individual can jeopardise the entire business. Indeed, the notorious Equifax breach of 2017, which leaked the personal data of nearly 146 million Americans, was reportedly due to one employee repeatedly failing to implement software updates that would have prevented the breach.

Given the fact that a company’s employees can often be the weak link in its data security strategy, it is imperative that company directors understand which areas of the business are the most liable to cause a data breach.

1.    Remote Workers

One type of employee that risks putting the wider business at risk is the remote worker. Telecommuting is an increasingly common working arrangement whereby employees are occasionally permitted to work from home, which has led to around 70% of people globally working remotely at least one day a week.

However, remote work carries additional security risks. An employee working with a company laptop in a coffee shop might be using a Wifi network that is not secure, allowing even basic hackers to gain access to private company data. Additionally, few employees can avoid using paper files and these confidential documents can quickly become lost or stolen in public places.

Employers should therefore clearly outline their remote employees’ responsibilities regarding confidentiality and data protection. They must also establish device security policies that remove the scope for costly mistakes, such as by specifying that all file downloads should be work-related. Other advisable policies include implementing device monitoring, rigorous password protection and asking that devices and files are only used in specific locations with secure Wifi networks.

2.    Administration department

Another vulnerable area of any business is the administration department. Responsible for a business’ financial planning, record keeping and logistics, an administrator is often the backbone of an organisation. An administrator’s role is therefore crucial for avoiding a data breach, as if any of their responsibilities are performed incorrectly sensitive data could quickly be obtained by malicious third parties.

With so many documents moving through the admin department every day, sensitive information found on meeting notes, tax forms and financial reports can become lost or stolen if an effective process is not in place. A prerequisite should therefore be establishing a clean desk policy in the office, whereby all employees are required to declutter their workspaces at the end of each day.

By implementing this rule, administrators will find it far easier to store and destroy sensitive documents. Any data that is still used and found in hard copy should be locked in storage cabinets overnight, with the most important files being stored off-site at a secure information management facility. Furthermore, documents that are no longer needed should be shredded immediately rather than thrown in waste bins, where they can be found and potentially used as blackmail or for fraudulent purposes.

3.    Complacent managers

Complacency is perhaps the most common reason for a data breach, and higher-level managers who fail to promote data security best practices pose the greatest risk. Managers are responsible for setting the standard in cybersecurity, but if they become complacent in implementing security awareness programmes their employees may begin to also forget their training.

Poor password management, opening suspect emails and leaving computers unlocked are all practices that creep into a business’ culture if an example is not set at the top. Not only should managers regularly encourage their staff to change their passwords and lock their devices, but they should also arrange for external training to be made available for all staff.

For example, managers should invest in up-to-date e-learning training sessions for both online and offline security, as well as invite IT experts to teach employees about common hacking risks and how they should respond to a successful data breach.

Key Takeaways

The rising threat of cyber attacks is undeniable, and companies of all shapes and sizes should ensure preparations are made to deal with direct attacks. However, businesses cannot afford to neglect the cost of mistakes made by staff and any budget set aside for cybersecurity should include resources for comprehensive training and secure document storage and disposal. Only then can the risk of human error be minimised.

About the Author

Nik Williams is the Managing Director of Shredall SDS Group, one of the UK’s largest independently owned shredding, document storage and document scanning companies. Shredall SDS Group operates across the UK serving small companies to large multinationals, and both public- and private-sector bodies.