Surprise! Most Data Breaches Occur Due to Human Error

Even though a lot of data breaches are carried out by cybercriminals, the recent statistics show a considerable part of such incidents occur because of failures happening inside the companies who store sensitive user and employee data. Thus, it is no wonder computer security specialists are talking more and more about how important it is to educate employees on how to protect the sensitive information they might have access to and how to avoid creating opportunities for hackers. In order to understand the situation better, further, in the article, we will review the available statistics for data breaches and hacks in 2017. Also, if you continue reading the article, you will learn what the most common mistakes that often lead to an accidental data breach are and what should organizations do to try to avoid them.

How statistics reveal the human factor is vital in data breaches?

Gemalto, a company providing statistics on data breaches, named 2017 the year of internal threats and accidental breaches. As they claim in their early report, "incidents involving accidental loss increased significantly from under 250 million in 2016 to nearly 2 billion the following year." No doubt, the most significant breach in 2017 happened to a company called Equifax. As you might be already aware, the cybercriminals were able to hack in because of a vulnerability in the organization's website and poor security practices. Unfortunately, the consequences were horrific as the hackers managed to steal sensitive data of around 147.7 million United States consumers. Apparently, during the attack, the hackers obtained their names, birth dates, Social Security Numbers, addresses, and even driver's license numbers. Sadly, such information is enough to cause the user a lot of trouble, for example, the hackers could apply for lines of credit in your name. For more information about the Equifax data breach, you should continue reading our previous blog post.

Furthermore, the Gemalto report shows most of the incidents in 2017 were carried out by a malicious outsider (1.269 incidents; 72% of all data breaches that occurred that year), and accidental loss was the second largest source (326 incidents or 18%). However, if you compare the numbers of compromised records between the two mentioned sources, it is clear there were more data stolen due to accidental loss as during such data breaches hackers obtained more than 2.6 billion records and attacks from malicious insiders compromised around 586 million records. Most data breaches and hacks occurred in the Healthcare industry as there were 471 incidents in 2017 or 27%. Nevertheless, again the biggest number of stolen records belonged to an industry with a comparingly small amount of incidents. To be more precise, the category of industry described as other experienced 68 incidents or 4%, but its amount of compromised records were 1.3 billion (52%), while the breached records in healthcare industry reached only 33 million or 1%.

What are the most common human mistakes that lead to data breaches?

The reports from the Information Commissioner's Office (ICO) show that a considerable part of the data breaches that happened in the first quarter of 2018 also occurred due to human error. According to their blog post, the most common mistakes that lead to data breaches are data posted or faxed to an incorrect recipient and data sent by email to the wrong recipient. Besides, a lot of sensitive information is put at risk because of loss or theft of the company's paperwork, failure to redact data, and failure to use bcc when sending emails. This shows it is not enough to put a robust firewall or apply other IT solutions to protect the information the organization might store on their web pages or servers.

What can companies do to avoid data breaches?

Knowing most data breaches occur not just because of IT problems, but due to human error, it would be smart to start by educating the company's staff. The idea would be to teach employees security practices that would help them handle client's information and deal with sensitive data. For instance, the team could organize training during which the staff could discuss the mistakes we mentioned before and suggest tips that could help avoid them. Plus, to realize how important it is and what could happen because of unsafe practices, it might be useful to discuss the consequences of compromising client's data (e.g., tarnished company's reputation, loss in profits, and so on).

Next, computer security specialists recommend finding out what could be the organization's weak points and how hackers could manage to access the sensitive data that it might have collected. After creating possible scenarios, the company's employees should come up with a plan of what can be done in a particular situation or better yet how to remove the detected vulnerabilities. The reason why in some data breaches the number of stolen records is so enormous is because organizations do not take any actions right away and wait until the worst happens. In fact, in some cases, it takes at least a couple of attacks till the organization finally eliminates the factors allowing them to occur.

Lastly, it is essential to stress even though many breaches might happen because of the mistakes made by the staff, it is still crucial to have a strong firewall, renew the software whenever there is a patch or an update available, and to restrict any access to sensitive information available through the company's web pages. As for what to do to prevent a data breach from the user's point, you could continue reading here.