The Human Element of Data Security

22nd July 2019

Without handing over complete control of the world to machines – which has never worked out too well in the movies – there will always be an element of human interaction with handling data. Therefore, there will always be risk, but can we mitigate it?

A recent report by Osterman Research confirmed that only 42% of organisations train their employees on the General Data Protection Regulation (GDPR).

The GDPR states that businesses must ensure the protection of the personal information that they hold on their customers and employees. But if there is a lack training and monitoring how can businesses ensure that they are GDPR compliant and in fact doing everything they can to prevent  both and internal and external data breach?

Here, we will explore the types of human error that can be mitigated by training but would also benefit from a process that verifies that all interactions with data is carried out in a secure manner.

Phishing Scams

By far the biggest human error is falling for a phishing scam; phishing emails are designed to look like legitimate emails, persuading you to either reveal sensitive information such as login details, transfer money or click on a malicious link. There is no doubt they are becoming more believable as time goes on, and we need to be more vigilant than ever. Organisations across the globe are implementing two factor authentication and investing in user training to try and thwart this threat. There are also tools such as RiskView which scans for the indicators of a phishing email and notifies you if any have entered your network

Sharing Passwords

Employees share passwords for a number of reasons; password sharing makes it easier for multiple users to access a team account, employees may handover access when they are on annual leave, or they may be sharing accidentally by leaving their credentials on a post-it note. This seemingly innocent practice can come with harsh consequences. This sensitive information is generally shared within emails or chat which can be accessed if the user has fallen for a phishing scam, but these login details are generally reused amongst other business and personal online accounts, leaving the business open to attack. A study found that 95% of employees are sharing passwords and 59 percent use the same one over and over, a hacker only needs one password to be able to access your entire network. Can you detect instances when login details have been shared?

Access Controls

The GDPR states that only employees who need to be able to see sensitive information for their daily duties should have access. This means that accounts or databases must be closed to those who have no need for the information. This is general good practice, and dramatically reduces the level of risk, but how can this be policed if people are sharing credentials and even sharing the content over email and copying other colleagues in?

Leaving Interview

Generally when employees leave the business, access to all business infrastructure and accounts must be revoked. This can be a straightforward process, but when passwords have been shared with a member of staff that’s leaving, then this can be almost impossible to manage effectively.

Too much work?

Employees may need to finish work out of office hours; generally USB sticks and personal email accounts are used to move these documents from the workplace to their personal devices. However, any benefits of productivity are wiped out if moving the data using unauthorised methods to a device which may or may not have the required security controls. All of this leaves the data vulnerable to theft.

The reality

But how can you ensure that any of the above aren’t taking place within your organisation? Training is a key part of this, employees must be aware of the controls the GDPR require to be in place and the risks associated with not adhering to them. The second part of this is being able to measure how successful this training has been and how to ensure that employees are following the correct procedures, and if they are not – having a way to locate where data has been moved, who they have shared login information with or if they have simply not deleted personal identifiable data from their email accounts and devices once they have not need for them.

The reality is that this that even if an organisation has superior cyber-defences, people will still inevitably make mistakes, but a safety net like RiskView can not only help to discover security and compliance gaps but will also identify whether other policies or procedures need to be put into place to ensure complete security and protection of the information you hold on others.

DDC AS work tirelessly to ensure organisations reduce their risk in an array of areas. Find out how we can support you today.

View More Articles