With the rise in cyber crime year after year, it’s easy to forget that some of the biggest threats come from inside your building.
According to Verizon’s 2019 Data Breach Investigations Report, 21% of security incidents in the past year were directly linked to employee mistakes.
So, what are employees doing that’s putting their organization at risk? Verizon breaks down employee error into seven common mistakes.
Most common causes of human error
- Misdelivery: 37%
This occurs when sensitive information is sent to the wrong person. It can be a case of confusion over the intended recipient, such as when a letter is delivered to the wrong address, or a mistake in email protocol.
One of the most common examples of misdelivery is when a mailing list is entered in the Cc field of an email instead of the Bcc field. This means that everyone who receives the message knows who else is on the list.
- Publishing error: 21%
These are instances of confidential information being posted in publicly available places.
They usually occur when an employee posts something online and mistakenly includes internal details.
- Misconfiguration: 21%
Servers and applications can be misconfigured if the organization doesn’t properly implement security controls designed to protect them.
Misconfiguration commonly happens when organizations fail to password-protect databases that they store on the Cloud.
- Loss: 7%
If an organization doesn’t know where information is – whether it suspects misuse or not – it’s considered a breach.
Organizations are more likely to lose physical information, because digital files should be backed up or stored on the Cloud. However, there are many instances of laptops and removable devices going missing.
- Programming error: 5%
These are mistakes in the way a program is written that cause it to behave unexpectedly.
Programming errors are generally referred to as bugs, and are a common part of programming. However, organizations should ensure that as many of these errors as possible are fixed before rolling out the application.
If they don’t, the errors could disrupt the organization’s productivity or introduce vulnerabilities that could be exploited by cyber criminals.
- Disposal error: 5%
This is the failure to delete or dispose of information properly, and can apply to both physical files and digital information.
Physical files containing sensitive information should always be shredded when no longer needed, and digital information should be wiped from hard drives. This is particularly important when you are throwing out the device.
- Omission: 4%
Incomplete data records can be just as damaging as losing the information.
For example, if you don’t have contact information for a customer, you won’t be able to get in touch to provide important updates – such as changes to your privacy notice or when you suffer a data breach.
Take action with IT Governance
Don’t let your staff be your point of failure. Commit to staff awareness training to help everyone in your organization understand their data protection responsibilities.
Staff awareness training can help combat insider threats by ensuring that employees who have access to sensitive data have the correct knowledge and an understanding of information security, as well as being aware of the consequences and risks.
IT Governance’s e-learning courses emphasize the importance of compliance and security, helping staff develop good habits, and increase their knowledge.
This hassle-free and cost-effective option is a flexible way of delivering training to large numbers of employees.