This is of course nothing new, as data security has been a hot topic for many years. How is it possible then, that this is still the case today? More importantly, what can you do as an organization to ensure optimal data security? We hope to provide some clarity and guidance in this article, which looks at data breaches resulting from human error, from an organizational perspective, and where personal data is involved. Let’s begin with a small refresher on data breaches, focusing on personal data.
Breaches of personal data
This scenario covers a data breach that impacts the security of personal data. Such incidents can vary widely. The Dutch Data Protection Authority literally describes it as follows:
A data breach means access to, or destruction, modification or release of personal data in an organization without that being the organization’s intention. This includes not only the release (leakage) of data, but also the unlawful processing thereof.
It’s difficult to prevent or mitigate risk with data breaches arising from human interference. Technical defects can be traced by a specialist party, and improvements or optimizations are usually easy to implement. The case of human behavior is a lot more complex however, but minimizing this risk is definitely possible.
Every day, amongst other occurrences, letters and e-mails are incorrectly addressed, hardware of employees is lost, or the wrong link is clicked. Recently, the risk that staff curiosity poses to personal data has featured on the news. Consider for example, incidents involving famous persons, although such events also occur with people who are unknown in the media. Sectors where a lot of personal data is handled are particularly susceptible. For example, the health sector has been the number one source of such data leaks for years. The education sector is also vulnerable. This does not mean however, that other sectors are off the hook.
Risks and consequences
The risk is that data can get into the wrong hands, a risk that is often downplayed at the moment. Of course, the chance is small that paper based data ends up in the hands of someone who deliberately uses it harmfully. It seldom happens that an agency accidentally shares names, addresses or social security numbers with dozens, hundreds, or thousands of other people. In addition, there also has to be someone interested in abusing such data.
Risk, in fact, is not about how big the chance is that something can happen. It’s about a combination of chance and impact. The chance may be small, sometimes negligible, but the impact could be enormous, for both the ‘victim’ and the organization responsible. Consider, for example, identity theft, the exploitation of medical details, but also the harmful leaking of information on famous people to the media. For the responsible organization, consequences vary from receiving a warning to a fine, which can run very high. It is the role of every organization to minimize risk.
How can we prevent this?
Luckily, there are plenty of options and much improvement is possible in order to minimize human error, both organizational and technical. Some simple changes can easily be implemented, which can be effective when combined with a general understanding of data security. This does not mean the task is complete, security is an ongoing process requiring constant attention. The following examples will help you to progress more quickly.
It often happens for example that a lot of completely unnecessary data is stored - you do not have to secure data you do not have. Some sensitive data will be needed of course, but then you should ensure it is stored separately. Data items are often included as part of a larger bulk of data. Because of this, such data is unnecessarily sent back and forth and is accessible for too many people. An example of a situation where this occurs is via the Excel export possibilities offered by various software packages.
Awareness is also very important of course. This may sound obvious, but for many employees, such issues are far removed from their field of work. It is definitely recommended to regularly and repetitively run privacy training for staff. Note that we also send specific employees on BHV (Health and Safety) training each year - the power of repetition is crucial for privacy, despite such training not being mandatory.
In addition to creating awareness and making organizational adjustments, there are many tools that can drastically reduce human error. Microsoft Azure, for example, offers Azure Information Protection, a tool capable of encrypting information and automatically assigning classification to a document. It recognizes sensitive data in a document and you can assign rights to different users within your IT environment. As an example, a specific person can view highly confidential data, but printing or forwarding of it is blocked.
Sentia can help organizations set up and manage the complete, but more importantly, business-critical IT environment. We help clients daily with end-to-end unburdening, by supporting the implementation of various tools and processes. The common goal is to always optimize the IT environment and make it safer on every level. When implementing such tools, it’s also important to consider the layout, possible alternatives, and ease of use. The daily working lives of employees should not become more complicated or difficult. This encourages people to think outside the box and, for example, find alternative ways to forward information.