Almost 400 data breaches were reported to the Irish Department of Social Protection last year, of which many were the result of information being sent to the wrong person, according to a recent FOI request.
“With businesses in charge of so much data nowadays, it is almost expected that at some point data will be lost due to human error. Something we see most commonly is high volumes of emails being accidentally sent to the wrong recipients each week. Alarmingly, the processes in place for most businesses do not protect the user, and there is no clear-cut way organizations can tell what sensitive information has left the business, or where it went, without utilising the right tools,” says Martin Sugden, CEO at Boldon James (www.boldonjames.com).
“The data businesses hold is one of their most valuable assets. Much of this data holds sensitive information about their customers and staff therefore, if this data were to be breached, it could cost the business a large fine under GDPR. Commonly, insider threats are thought to be malicious actors within an organization who publish sensitive data, as was the case in the Morrison's data breach (www.infosecurity-magazine.com/news/morrisons-wins-breach-ruling), but businesses should not see this ruling as a way out; the court did not say there could never be vicarious liability for the conduct of employees in the world of data protection.
Businesses should therefore be investing in measures such as data classification, where confidential documentation has a layer of protection attached to it, meaning certain rules apply to that data set . For example, only manager-level staff can access certain documentation, or that it would require authorization from a department leader to be moved to another machine, site, or emailed to anyone internal or external.
“The key is to educate users to help them understanding how they can operate in a more secure way,” says Sugden. “By involving users in data classification, you empower them to automatically become more data-aware, with a greater understanding of policies and the value of an organization’s data.”