The exposure of personally identifiable information (PII) or business-sensitive information to unauthorised entities due to human error continues to remain a major concern for IT security decision-makers.
In a survey commissioned by email security solutions provider Egress, at least 70 percent of IT security decision-makers across the United States said that they had experienced incidents of data breaches occurring because of human error in the past five years, and half of these incidents occurred in the past twelve months.
44 percent of the decision-makers also said that employees at their organisations had leaked personally identifiable information (PII) or business-sensitive information when using their corporate email accounts.
As a result of frequent incidents of data breaches occurring because of employee error, human error now ranks as among the top three concerns for IT security decision-makers alongside external hacks and malware infections.
“As the workforce has become more reliant on digital communication, and is increasingly remote and flexible, it has also become more difficult for traditional network perimeter security technologies to protect data,” said Tony Pepper, Chief Executive Officer at Egress.
“In fact, people are now the new security perimeter in most organisations, and as a result, businesses need to evolve the way they protect themselves. This research highlights the growing imperative to detect abnormal human behaviour – including accidental data leaks – to stop breaches before they occur.”
Human error resulting in reputational and monetary damage to organisations
In the recent past, we have seen various incidents of data breaches taking place because of human error that have resulted in reputational and monetary losses for organisations. Last year, the Independent Inquiry into Child Sexual Abuse (IICSA) was fined £200,000 by the ICO for failing to protect the identity of possible victims of child abuse.
An employee at IICSA erroneously pasted e-mail addresses of 90 Inquiry participants in the ‘To’ field instead of putting e-mail addresses of possible child abuse victims in the ‘bcc’ field.
Earlier this month, German software giant SAP had to issue a public apology after a database the company supplied to New Zealand Police gave 66 firearms dealers unhindered access to names, addresses, contact numbers, and bank account details of thousands of firearms owners in the country.
“As part of new features intended for the platform, security profiles were to be updated to allow certain users to be able to create citizens records. A new security profile was incorrectly provisioned to a group of 66 dealer users due to human error by SAP.
“We unreservedly apologise to New Zealand Police and the citizens of New Zealand for this error. The security of our customers and their data is of absolute priority to us. A full internal investigation is already underway within SAP,” the company said.
The survey commissioned by Egress also revealed that both corporate and personal email are the main sources of data breaches committed by employees. Aside from email, widespread human error also resulted in sensitive data getting leaked from other applications such as file sharing services, collaboration tools, and SMS instant messaging.
According to IT security decision-makers, even though there is an increased awareness of risks within their organisations, many employees are still sharing sensitive data outside of their organisations as well as within their organisations without encryption.