nito - Fotolia

Human error causes more data loss than malicious attacks

Stupid humans, you are the weakest link, at least according to the ICO

Human error is the main cause of data breaches, according to statistics obtained from the UK’s Information Commissioner’s Office.

Figures obtained by Egress Software Technologies via a Freedom of Information (FOI) request found that human error accounted for almost two-thirds (62%) of the incidents reported to the ICO – far outstripping other causes, such as insecure webpages and hacking, standing at 9% combined.

The most common type of breach occurred as a result of someone sending data to the wrong person. Data posted or faxed to the wrong recipient accounted for 17% of data breaches, according to ICO information.

A further 17% of breaches came from loss and theft of paperwork, while in 9% of cases, data was emailed to the wrong recipient.

The ICO also recorded several other types of data breach, including insecure disposal of hardware and paperwork, loss or theft of unencrypted devices, and failure to redact data.

“The fact that so many breaches are caused by methods of working that are known data breach pitfalls – such as faxing and posting sensitive information, or using plaintext email – should be a major concern for all organisations,” said Egress CEO Tony Pepper.

“Organisations need to begin gaining a holistic understanding of the information security measures they have in place,” he added.

Pepper recommended businesses examine the nature of the data produced and handled by their staff, and using a classification tool to mandate how it’s treated. Next, they need to make sure that, when required, the data is released in the correct manner.

According to Pepper, integration between classification policy and tools, such as email encryption and secure online collaboration, can ensure the correct protection and control is applied to the data when it is released from the business environment.

He said such measures are usually not available in more traditional ways of working, leaving staff open to the risk of accidentally sending data to the wrong recipient.

Read more about data loss prevention

Public awareness of data loss is set to rise with changes to European data protection laws coming into force in 2018 through the General Data Protection Regulation (GDPR).

Speaking at the European Identity & Cloud Conference 2016 in March, privacy lawyer and KuppingerCole analyst Karsten Kinast, said: “The regulation requires organisations to notify the local data protection authority of a data breach within 72 hours of discovering it. This means organisations need to ensure they have the technologies and processes in place that will enable them to detect and respond to a data breach.”

Read more on Data breach incident management and recovery