The data breaches reported this week at Capital One and NAB demonstrated that human error represents a serious cyber risk to an organisation.
In its Notifiable Data Breaches scheme’s 12‑month insights report, published in May, the Office of the Australian Information Commissioner (OAIC) states that 35% of all reported breaches resulted from human error.
Bitglass Vice President Asia Pacific, Dave Shephard, says: “The financial services sector reported the second-highest number of data breaches in the 12 month-period covered by the report, trailing only the health sector. And 41% percent of the breaches reported by financial services organisations related to human error.”
Shephard adds that customers should be able to trust that their bank is protecting their financial and highly personal information.
He says: “We’re all paranoid about banking fraud, but account compromise or card fraud should be of far less concern to an individual than having their passport or driver licence details compromised. Serious damage can be done through identity impersonation should this type data fall into the wrong hands.”
In the case of Capital One, a misconfiguration of a Cloud server in AWS was to blame, while the breach at NAB was the result of an employee mishandling data. While hacking and malware consistently rank among the most common causes of breaches, careless and malicious insiders remain a top concern for companies.
People make mistakes, but organisations can try and do more to identify and prevent these mistakes from leading to harm.
Culture: It’s important for everyone to understand the value of data and that a company promotes a culture of managing data with care. This has to transcend the organisation and come top down.
Policies: Define and communicate clear policies around data privacy and information protection. This should form part of ongoing cyber awareness training for users.
Controls: Use controls to monitor and flag questionable – or higher risk – user activities, as well as ones that can identify when data is being inappropriately stored or shared.
Shephard concludes: “The problem with the insider risk is that most users have got legitimate credentials and privileges; they are meant to be where they are, doing what they’re doing. It can be very difficult to identify a problem until something bad has happened.”