Businesses have never been more at risk of data breaches, writes Nik Williams, Managing Director of Shredall SDS Group.
A recent report by DLA Piper found that European companies suffered 60,000 data breaches in the months following the GDPR data protection law coming into force, equating to one every five minutes. Ransomware attacks are also growing by more than 350pc annually, while 70pc of businesses felt that their security risk increased significantly as recently as 2017.
The reports certainly seem to be reflected in the media, with Microsoft, Facebook and even home improvement retailer B&Q reporting data breaches in recent months. Both Microsoft and Facebook suffered sophisticated hacks, yet B&Q’s records of store thieves were made public simply because the information was stored on open source search engine technology that had not been set up to require user-ID authentication. This reflects an often overlooked truth about data breaches; although cyber attacks receive more attention in the press, it is more often human error or simple negligence that results in data breaches.
The Information Commissioner’s Office (ICO) revealed in their yearly financial report for 2017/18 that four of the five leading causes of data breaches could be attributed to human error.
1.Data sent by email to inc rep
2.Data posted/faxed to inc rec
3.Loss/theft of paperwork
4.Failure to redact data
Human beings are inherently flawed, and the mistakes of an individual can jeopardise the entire business. Indeed, the notorious Equifax breach of 2017, which leaked the personal data of nearly 146 million Americans, was reportedly due to one employee repeatedly failing to implement software updates that would have prevented the breach. Given the fact that a company’s employees can often be the weak link in its data security strategy, it is imperative that company directors understand which areas of the business are the most liable to cause a data breach.
1.Remote Workers
One type of employee that risks putting the wider business at risk is the remote worker. Telecommuting is an increasingly common working arrangement whereby employees are occasionally permitted to work from home, which has led to around 70pc of people globally working remotely at least one day a week.
However, remote work carries additional security risks. An employee working with a company laptop in a coffee shop might be using a Wifi network that is not secure, allowing even basic hackers to gain access to private company data. Additionally, few employees can avoid using paper files and these confidential documents can quickly become lost or stolen in public places.
Employers should therefore clearly outline their remote employees’ responsibilities regarding confidentiality and data protection. They must also establish device security policies that remove the scope for costly mistakes, such as by specifying that all file downloads should be work-related. Other advisable policies include implementing device monitoring, rigorous password protection and asking that devices and files are only used in specific locations with secure Wifi networks.
2.Administration department
Another vulnerable area of any business is the administration department. Responsible for a business’ financial planning, record keeping and logistics, an administrator is often the backbone of an organisation. An administrator’s role is therefore crucial for avoiding a data breach, as if any of their responsibilities are performed incorrectly sensitive data could quickly be obtained by malicious third parties.
With so many documents moving through the admin department every day, sensitive information found on meeting notes, tax forms and financial reports can become lost or stolen if an effective process is not in place. A prerequisite should therefore be establishing a clean desk policy in the office, whereby all employees are required to declutter their workspaces at the end of each day.
By implementing this rule, administrators will find it far easier to store and destroy sensitive documents. Any data that is still used and found in hard copy should be locked in storage cabinets overnight, with the most important files being stored off-site at a secure information management facility. Furthermore, documents that are no longer needed should be shredded immediately rather than thrown in waste bins, where they can be found and potentially used as blackmail or for fraudulent purposes.
3.Complacent managers
Complacency is perhaps the most common reason for a data breach, and higher-level managers who fail to promote data security best practices pose the greatest risk. Managers are responsible for setting the standard in cybersecurity, but if they become complacent in implementing security awareness programmes their employees may begin to also forget their training. Poor password management, opening suspect emails and leaving computers unlocked are all practices that creep into a business’ culture if an example is not set at the top. Not only should managers regularly encourage their staff to change their passwords and lock their devices, but they should also arrange for external training to be made available for all staff.
For example, managers should invest in up-to-date e-learning training sessions for both online and offline security, as well as invite IT experts to teach employees about common hacking risks and how they should respond to a successful data breach.
Takeaways
The rising threat of cyber attacks is undeniable, and companies of all shapes and sizes should ensure preparations are made to deal with direct attacks. However, businesses cannot afford to neglect the cost of mistakes made by staff and any budget set aside for cybersecurity should include resources for comprehensive training and secure document storage and disposal. Only then can the risk of human error be minimised.
About the author
Nik Williams is the Managing Director of Shredall SDS Group, a UK independently owned shredding, document storage and document scanning company. Shredall SDS Group operates across the UK serving small companies to large multinationals, and public and private sector.
