Common data security breaches caused by employees

Cybercrime and data risks have been around for a long time and aren’t going away any time soon. In fact our recent UK Business Risk Report surveying over 1,700 businesses shows that awareness of these risks has increased from 17% of businesses to 35% YoY. It’s vital the awareness doesn’t stop at director level or sit in the in or out house IT support teams as one of your biggest vulnerabilities could be your employees.

Businesses are operating in a world in which 95% of cybersecurity issues can be traced to human error.¹ As a result, some regulators may require employees to undergo regular security awareness training.

Despite advanced IT security, human factors such as workload, stress, lack of skillset, the increased use of the hybrid working model, and basic human nature can all lead to human error. However, this weakest link of the security chain can turn into the best layer of defence, when it gets the right focus and attention.

A cyber liability insurance policy can provide protection in the event of data breach. Still, there is no substitute for well-informed and vigilant employees when it comes to cyber security.

Here are some of the most frequent, unintentional human errors that lead to data breaches.

Falling for a suspicious email

The initial swift rise in remote-working in 2020 presented a special opportunity for cyber-criminals. And although some years later and a new normal setting in, including businesses increasingly returning to the office or embedding a hybrid working practice, there are still vulnerable cracks in working practice. Communication in the workplace has become increasingly about the job at hand, and not a cleverly positioned mildly suspicious email.

Could you or your colleagues spot some of the clever tricks of the trade? Put yourself to the test with our interactive challenge in the Tools and Assessments section within the cyber-criminal activity section on our risk hub.

Sending and deleting data

Not all data breaches need to involve sharing or accessing data. Deletion of data can also be a breach, as Dorset Hospital discovered that over 5k of patient images had recently and accidentally deleted during an archiving activity.² Everyone hits the delete button, but if your IT setup doesn’t allow for recovery, then how can your business recover from the situation

Equally, sending an email to the wrong recipient is a common threat to data security. Especially when the numbers are considered. The average person receives 100+ emails a day, sends 40+ themselves and gives a little over 10 seconds attention to each.³ These numbers allow for a large margin for error. Who doesn't use auto-suggest functions when sending emails? It's easy to accidentally send confidential information to the wrong person, or even worse – groups of people. Deleting and sending information are everyday business practices and actions that should have fail safes in place, especially when it comes to in unrecoverable action.

Publishing confidential data in error

In August 2020, almost 400 people in Powys were impacted by a data breach after contracting COVID-19.⁴ Public Health Wales admitted the mistake, explaining the data had been accidentally uploaded onto a public server.

However, over 18,000 people's data was available to view online for 20 hours before it was removed due to this error. The data had been viewed 56 times, but there was no evidence of misuse. 

Password security

According to the Nordpass 2021 report, 123456 is the most popular password globally, over 5m people in the UK use this as their password and it takes less than one second to crack. In fact, only seven of the top 100 most commonly used passwords in the UK take more than three minutes to hack.⁵

As well as failing to create strong, unique passwords, people are guilty of keeping passwords on post-it notes in open view, or sharing them with colleagues. This is another clear example of employees demonstrating a lack of security awareness.

Security updates

Outdated software is a welcome invitation for hackers. Employees ignoring software updates, disabling security features or downloading unauthorised software makes hacking easier for cyber-criminals.

When gaps in security software are discovered, developers fix the vulnerability and send out updates to all users before cyber criminals can compromise more devices. This is why users must install security updates on their computers as soon as they are available.

Phishing scams

A phishing email relies on deception to steal confidential information. Phishing scam victims are deceived into engaging with emails because they believe the email is genuine. Cyber criminals will typically use phishing emails to ask for:

• date of birth
• phone numbers
• credit card details
• home address
• password information.

This information is then used to carry out fraudulent activity. Alternatively, a phishing email could contain a link which when clicked, releases malware into the system. The criminals might demand a ransom to return your systems to normal.

In fact, an ONS report has found that the amount of phishing emails reported utilising advanced fee fraud has increased from a little over 3k a year in March 2020 to over 4,500 in March 2022.⁶ Phishing emails are a lucrative opportunity for criminals and won’t be going away anytime soon.

Train your teams to adopt these simple approaches to help prevent data breach:

• Raise awareness
  Increase training and awareness of how to detect a phishing email scam. Arrange training sessions for your employees with mock scenarios to help them identify phishing emails.
• Install antivirus and anti-malware software
  Make sure you have cyber controls in place so security software is kept up-to-date on all your business equipment and segment networks that could stop the spread of an attack.
• Create a recovery plan
  Help minimise the damage caused by a cyber breach. Your plan should cover how to recover data quickly, ensuring your business continues to run as smoothly as possible.

Here to help

Explore the key findings from our UK Business Risk Report 2022 and access tools to help you address your business’s biggest risks. Visit our risk hub and the National Cyber Security Centre for more tools and guidance on cyber security.