…

Common employee mistakes resulting in data breaches

Despite all the modern security solutions in our increasingly digital world, employees still make mistakes that may lead to data breaches. Human error caused 90% of cyber data breaches in 2019, marking yet another increase year on year. CEO of CybSafe, Oz Alashe said:

“It’s almost always human error that enables attackers to access encrypted channels and sensitive information. Staff can make a variety of mistakes that put their company’s data or systems at risk, often because they lack the knowledge or motivation to act securely, or simply because they accidentally slip up”.1

The average cost of a data breach has risen 12% over the last 5 years to a staggering £3.1million.2  A cyber liability insurance policy can protect your business in the event of human error, but your best line of defence is having well-informed and vigilant employees.

Below are some examples of some of the most common types of human error leading to data breaches.

Sending valuable data to incorrect recipients via email

Earlier this year in Shropshire, 250 email addresses were exposed in a data breach by Shropshire Council. The simple act of sending an invitation to a webinar resulted in an investigation after recipients could see each other’s email addresses. An individual had failed to use BCC, instead putting all recipients in the ‘to’ field. Shropshire council’s data protection officer undertook a risk assessment and had to disclose the incident and confirm action taken to the Information Commissioner’s Office (ICO).3

Accidentally emailing documents with sensitive data

A hospice claimed against their cyber liability policy with specialist insurer, Beazley, when an employee emailed a report of patient referrals and admissions to themselves via an unsecured channel on two separate occasions. The data sent in the reports included 818 patient names and admission details. The employee of the hospice, which serves about 370 terminally ill patients daily, was said to have been emailing spreadsheets to a personal email account in order to complete work from home.4

Publishing confidential data on public websites by mistake
In August 2020, nearly 400 people in Powys were impacted by a data breach after they contracted COVID-19. Public Health Wales admitted the mistake, explaining that the data was accidentally uploaded onto a public server. This individual human error meant that the personal information of up to 18,105 people was available to view online for 20 hours before it was removed. The data had been viewed 56 times but there was no evidence of misuse. The Information Commissioner’s Office (ICO) and Welsh Government were informed and an external investigation is underway5.

Misconfiguring assets to allow for unwanted access
Outdated software is a welcome invitation for hackers, as it presents known vulnerabilities. Employees can help cyber-criminals compromise sensitive data by ignoring software updates, disabling security features or downloading unauthorised software2.

Phishing scams
According to information from insurance giant AIG, business email compromise (BEC) has overtaken ransomware and data breaches as the primary reason companies filed a cyber insurance claim in Europe, the Middle East and Asia5. Beazley claims 22% of all BEC incidents take place in the healthcare industry, second only to financial institutions6. In most cases, the compromise can be traced back to a phishing email containing a link or attachment.

Take some of these simple steps to help safeguard your business against phishing attacks:

  • Raise awareness:
    Make your employees aware of the danger of phishing scams, encouraging staff to be more vigilant when responding to suspicious emails.
  • Educate your employees:
    Front-line staff are your last wall of defence when it comes to phishing scams. Conduct training sessions for your employees with mock scenarios to help them identify phishing emails.
  • Install antivirus software:
    Keep antivirus software up-to-date on all your business equipment.
  • Have a recovery plan:
    Create a reliable recovery plan to help minimise the damage posed by a cyber breach, recover data quickly and keep your business running as smoothly as possible.

Key workers in the health and social care industries are facing a huge challenge with the coronavirus pandemic. While hearts and minds are focused on the task at hand, don’t let the risk of human error rise in the background. Ensure your business is protected by a cyber liability policy, and keep cyber-security front-of-mind for employees by reminding them to accept software updates and allow them to finish, take notice of pop-ups and take the time to improve their knowledge on cyber-security.

 

Sources:

1 Infosecurity Magazine

2 cbronline.com

3 Shropshire Star, December 2019

4 Beazley’s cyber claims data, 2020

5 Countrytimes.co.uk, 14 September 2020

AIG Cyber Claims: GDPR and business email compromise drive greater frequencies

Tags

Read our latest articles