Data security and privacy tends to be associated with defence against external actors. Sufficient investment in the protection of networks against hackers provides the most robust cyber security, or so the logic goes. Human error is part of the problem, but mainly in the form of opening ‘dodgy emails’ that are actually intended to attack a computer.
In truth, human error plays a far greater role. Between May 2014 and March 2016, over 3000 incidents were reported to the Information Commissioner’s Office (ICO). 2066 – or 68% – of these were categorised as ‘disclosure of data’ rather than a ‘security’ incident.
This means that the vast majority of data security breaches were not so-called ‘cyber attacks,’ but rather human errors like losing devices, insecure disposal or verbal disclosure. Chief among these errors was data being sent to an incorrect recipient.
In the last quarter, whereas ‘cyber incidents’ like phishing or DDoS attacks made up 9% of data security incidents reported to the ICO, data being sent to the wrong recipient comprised over 30%. Indeed, incidents involving data being emailed to the wrong recipient increased by 60% over the last quarter. As the ICO noted:
“A particular risk factor for incidents within this category is the use of ‘autocomplete’ rather than typing in an individual’s full name into the ‘to’ field. Often, the sender of the email will not realise their error until alerted to it by the recipient. Disabling ‘autocomplete’ may reduce the likelihood of such an error occurring.”
Worryingly, this was especially prevalent in the health sector. There was a 26% increase in data security incidents in health compared to the previous quarter, representing 43% of all incidents in Q1 2016/17. Data being sent to the wrong recipient was the most common type of incident reported in healthcare. Aside from health, other types of security incident reported across all sectors included ‘failure to use bcc when sending email’, ‘failure to redact data’ and ‘inadvertent publishing of data on website.’ This is not data theft by nefarious state actors,
Aside from health, other types of security incident reported across all sectors included ‘failure to use bcc when sending email’, ‘failure to redact data’ and ‘inadvertent publishing of data on website.’ This is not data theft by nefarious state actors, cyber criminals or hactivists – this is sheer human fallibility. Moreover,
Moreover, inadvertent disclosure is likely to be woefully underreported. There are two reasons for this. First, people are often unaware they have done so. Second, people are embarrassed to admit it. Part of the reason the health sector continues to account for the most data security incidents is because of the NHS actually making it mandatory to report breaches. However, this will soon change. The General Data Protection Regulation (GDPR), which came into force in May this year, makes notification to the regulator mandatory for breaches of personal data. Moreover, fines will be introduced of up to 4% of worldwide turnover or 20 million euros – whichever is higher. Several actions are required to begin to address these challenges, especially as the GDPR comes into being.
First, we need to reconsider our collective understanding of data security. Continuing to focus exclusively on protecting against perceived external threats – and ignore the scale of inevitable human error – misses the point. So many of our other technologies now have inbuilt mitigations against human mistake. Cars that alert the driver when he or she is reversing towards a wall; GoogleMaps directions that readjust when you take a wrong turn; even the caution put to most computer users on a daily basis: ‘do you want to save changes?’
Second, we need to invest in technologies to deal with these challenges. It is impossible to teach humans not to make honest mistakes, yet reducing speed and efficiency in favour of caution is far from ideal either. The technology to deal with this problem does exist. CheckRecipient learns from historical user sending patterns to build a graph of the sender’s social network. It then intelligently detects any recipient mistakes when the user clicks send, and gives him or her the opportunity to correct their error. Organisations should be signposted towards such providers, to accelerate the take-up of such technology.
Third, the GDPR will accelerate the wave of increased data breach reporting. As the true scale of inadvertent data loss is becoming clear, other forms of data security incidents are as well. We should avoid hyperbole, and use this as an opportunity for an honest appraisal of what can be done. Part of the reason why individuals and companies are loath to admit such mistakes is concern for reputational damage – discovering they are not alone makes it easier to do so. Conversely, recognition of best practice by different organisations should be heavily encouraged, and the new era of increased reporting should be used to spark such conversations.
There is a great deal that can be done to reduce data breaches. The GDPR makes taking action all the more urgent. We’re only human – recognising this is the first step.