In 2015, the BBC reported an incident where an employee at an NHS trust was supposed to send newsletters to around 800 patients who visited the HIV clinic. While the letters were intended to be blind copied (bcc), the employee made a mistake and included the recipient addresses in the ‘to’ field. Every patient’s data was exposed to one another as a result of this. . This sort of security breach, otherwise known as an employee data breach, is one of the most common cybersecurity issues for organizations. The increase in the use of remote working by businesses, which use internet platforms and web applications to operate with their employees, has increased the likelihood of employee data breaches that are intentional, unintentional, or initiated by a cyber attacker.
Human errors and mistakes are frequently overlooked by businesses, but not by threat actors. Threat actors use human blunders and flaws to gain access to a network and steal company data. In addition, while most data breaches occur due to the threat actors’ criminal intents, this isn’t always the case. A recent research study by Sackers revealed that even low-profile sectors like the pension industry have been suffering data breaches more than ever. While 35% of trustees claim they have suffered employee data breaches, the research suggests most of these breaches are down to human or systematic errors.
Errors That Cause Employee Data Breaches
It is critical for enterprises to understand the sorts of errors that might result in employee data breaches in order to prevent them. It’s best to recognize the potential blunders, so you can devise a strategy to take the required measures to prevent them before they occur. The two main types of errors are primarily categorized as systematic and human errors.
In terms of cybersecurity, systematic errors occur due to faults in the devices, vulnerabilities in the applications, compromised networks, and poor organizational structure of a business. Employee data breaches, in most situations, are not caused by systemic mistakes since devices and networks are generally put to the test.
3 Types of Human Errors that Result in an Employee Data Breach:
1. Skill-based Errors
Skilled-based errors are caused by the employee’s minor mistakes and carelessness. They may occur even when the user performs familiar and daily tasks. The misdelivery incident mentioned earlier is a classic example of this error. Skill-based errors mostly happen because the employee might be tired, distracted or unattentive while performing a task.
2. Decision-based Errors
Decision-based errors happen when an employee makes a poor decision regarding the work. If workers are overworked, they may take shortcuts to save time and effort. These errors occur for various reasons, including inexperience, lack of training, or simply because an employee attempts to find an easy way out. Decision-based errors may also result in loopholes in the process flow of an organization. The most common example of a decision-based error is when employees set a weak password like ‘12345’. To gain access to an employee’s account, a threat actor can try out a weak password that is easy to guess. Ignoring installing software patches and updates on computers used by staff is another example of a decision-based error.
3. Physical Security Errors
Weak physical security at the workplace can also cause confidential information to be stolen. Some examples of physical security errors include leaving confidential data unattended and tailgating. Tailgaiting is where an unauthorized person follows someone through a secure door or barrier; usually, by simply walking close behind them, or worse, an employee holds the door open for an unauthorized person as an act of being ‘polite.’
How to Reduce Human Error
Enterprises can draw inspiration from TPR (The Pension Regulator) proposed single code of practice—in the wake of the organization witnessing a rising number of employee data breaches— which is expected to come into effect from 2022 onwards. It includes guidelines that trustees ought to follow to prevent breaches. They are as follows:
It is essential to train a new employee and the management regarding security best practices. Training will reduce the chance of errors from ignorance and inexperience.
Reduce the instances when an employee becomes too tired or distracted to prevent negligence and skill level errors.
Never encourage employees to use ‘easy passwords’ and to store their passwords in tools such as emails.
Reduce the chance of systematic errors by using updated versions of antivirus, firewalls, and web applications.
Please have a good idea about the enterprise’s security by consulting cybersecurity experts and having them perform security tests to determine the vulnerabilities in the system.
Threat actors are always on the lookout for vulnerabilities within the systems they target. Humans-error may be creating threat vectors that make attackers’ work much more straightforward. To minimize employee data breaches, organizations should take appropriate measures to educate their workers and enhance cyber security.
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications