How to tackle the human error data leaks conundrum
Rick Goud, Founder of Zivver, explains why accidental data breaches by employees using insecure communication methods is a major issue that needs to be addressed.
It is a common misconception that phishing and hacking are the main causes of data leaks. The reality is that the majority derive inadvertently from insiders, rather than maliciously from outsiders.
Reports by independent authorities across Europe verify this. In the UK, for example, the ICO revealed 80% of the 10,000 security incidents reported to it in the last four quarters were non-cyber related. And in the Netherlands, the country with the best reporting culture in the world, a staggering 95% of the 27,000 data leaks reported last year were due to human error.
In the first quarter of 2020, causes of data leaks in UK organisations included “data emailed/posted to incorrect recipient” (28%), “unauthorised access” (6%) – mainly due to lack of proper encryption and authentication – failure to redact information (4%) and putting recipients in the ‘Cc’ instead of ‘Bcc’ field (6%). Data leaks due to phishing and malware ‘only’ contributed to 14% of data leaks.
Each of these scenarios can have serious repercussions for an organisation, in terms of damaged reputation, customer churn and the risk of a financial penalty due to GDPR/DPA non-compliance.
Data insecurity in healthcare
I first witnessed these types of human errors when working as a healthcare strategy consultant in the Netherlands. All around me staff were using a range of insecure data-sharing methods, such as ‘free’ file transfer services that had no guarantee of being secure. Workers also relied on ‘normal’ email to send highly sensitive information, instead of using guaranteed message encryption, which is a requirement for HIPAA and GDPR compliance.
Adding insult to injury, I noticed that weak passwords were commonplace. In addition two-factor authentication (2fa), an extra protection layer for sensitive information, was lacking. While 2fa is now used widely, for gaining access to your bank account, your medical record or even when installing WhatsApp, for some reason it was not possible to authenticate recipients who were sent extremely sensitive information via email.
When asked why this was happening, medical staff said they didn’t know how to share information in a secure and user friendly way. Using PGP or S/MIME, or protecting a file with a passcode and texting that code to the recipient, was just too complicated to do on a daily basis.
At this point it became clear: There was a real and urgent need for a secure and simple communication solution to remedy this problem – one that would continuously protect patient data without disrupting busy employees’ usual ways of working.
Prevent data leaks before information is sent
To develop an effective data security solution, it was necessary to consider the entire spectrum of the communication journey: before, during and after information is sent. Notably, security incident reports by European data privacy authorities showed that most data leaks happen before transmission. Specific causes include:
- Auto-completion functionalities of email clients, accidentally adding the wrong recipient.
- Attaching a file that contains sensitive information the user is unaware of.
- Users not being aware that the information they are sharing is sensitive.
- Exposing recipients contact details by failing to use ‘Bcc’.
Tackling such outbound email errors requires the deployment of an easy-to-use technology solution that combines real-time data classification, the ability to raise user awareness, recipient contextualisation, and communication evaluation.
On-the-spot data classification, for example, means that while an email is being composed, the system will classify the type of information users intend to share. This applies to both the email text plus any attachments. In addition, AI and dictionary-based classifiers can be used to detect medical, legal, financial, or personal information, as well as national insurance or credit card numbers.
Based on the data classification assessment, the user can be notified about any anomalies before the email is sent. This notification method is either fully integrated in the email client while composing, or by actionable notifications via email.
When choosing an appropriate secure digital communication platform, ease of use is essential. It’s important to enable staff to continue using their familiar email environments, such as Outlook or Gmail. This is because changing the behaviour of people is always difficult to do, especially in the workplace.
Switch to digital communication only
If we accept the ICO’s security incident figures, reducing – if not eliminating – the use of faxes and paper communication will help to minimise human error data leaks still further. This is especially true within highly regulated sectors such as healthcare, legal and government, where letters and fax machines are still often relied upon.
In the Netherlands, for example, an emergency ordinance recently issued to all law firms and bailiffs means that they are now encouraged to use secure email for communication, instead of faxes and letters, at least for the duration of the Coronavirus pandemic. This development reflects the enforced shift to working from home, where most people do not have a fax machine.
Secure email is a fast deployment alternative to faxes and postal mail, enabling the safe transfer and exchange of personal information within digitally signed, legally binding documents. Since the new ruling’s introduction, more than 50% of all lawyers have started using our secure digital communications platform to comply.
By switching to digital communication only – and incorporating secure email and secure file transfer technology – organisations will significantly improve their security and speed of communication, while also cutting costs. Increased security awareness among staff would also foster a healthy culture of safeguarding personal data, which is important as data protection regulations continue to evolve worldwide.
These factors combined have the potential to boost an organisation’s performance and future-proof its data protection policies.
Rick Goud is the Founder & CIO of secure communications and file sharing company ZIVVER.
Before co-founding ZIVVER, Rick Goud spent six years as a healthcare consultant for Gupta Strategists. While there, he noticed a wide range of sensitive data – such as patient information, company performance, and legal documents – being frequently handled by employees. He realised there was a strong need for a secure communication solution to safeguard and manage such data (including for GDPR compliance) – and shortly afterwards, ZIVVER was born.
Main image courtesy of iStockPhoto.com