That’s old news of course, it’s an issue that’s been highlighted for years. Then how come it's still the case today? More importantly, what can an organization do to achieve optimum data security? In this article, we bring you clarity on the topic, and highlight tools that can guarantee data security. The article focuses on data leaks caused by human activity, from the organizational perspective, which involve personal data. Let’s begin with a quick refresher on data breaches, with a focus on personal data.
A leak of personal data
In this situation, a data breach is noted as soon as a breach of personal data security occurs. A data breach is defined as follows:
A data breach means access to, destruction of, or alteration or release of personal data in an organization without that being the intention of the organization. A data breach does not only include the release (leakage) of data, but also its unlawful processing.
It’s difficult to prevent data leaks caused by human error, and their associated risks. However, technical defects in information security can be detected by a specialist party, and any related improvements or optimizations are usually easy to implement.
It happens on a daily basis that, among other things, letters and e-mails are incorrectly addressed, employee hardware is lost, or someone clicks the wrong link. Lately, various news reports also feature how employees' curiosity can pose a risk to personal data. For example, incidents involving famous people, although such incidents can also occur with members of the general public. Sectors that handle lots of personal data are particularly vulnerable. The healthcare sector has been a leading source of data leak incidents for years. Education is another sector that’s sensitive to such threats, and that doesn’t mean other sectors are not equally vulnerable.
Risks and consequences
The obvious risk is that data ends up in the wrong hands. Currently, this risk is often downplayed. Indeed, there is a slim chance that data from a paper bin would reach the hands of someone who deliberately uses it harmfully. In recent years however, we have seen unfortunate examples of data being stolen from organizations and actively misused, or at least traded via the Dark Web:
- 2011: Sony 75 million private details
- 2013: Adobe 75 million private details
- 2017: Equifax 143 million private details
- 2018: Marriott 500 million private details
However, risk is not just about the degree of chance that something will happen. It relates to a combination of chance and impact. While the potential could be small, maybe even zero, the impact can be enormous for both the 'victim' and the organization held responsible. Some examples include identity theft, or the misuse of medical data, but also the deliberate leaking of information to the media about people in the public eye. For the organization held responsible, consequences vary from a warning to a fine, which can be steep. In these instances, it’s important to remember the associated impact on corporate image. It is the task of every organization to minimize this risk.
What can be done to prevent these incidents
Fortunately, an array of actions and improvements can be employed to minimize human error, both organizational and technical. Various simple, easy-to-implement changes can be applied, in combination with common sense. Taking these measures does not mean you are there with regard to security however. That’s a continuous process and one which deserves constant attention, but the following examples will help to fast-track your efforts.
For example, a lot of data could be stored unnecessarily. Remember, you don’t need to secure data you don't have. While some sensitive data will be needed, it’s important to store it separately on the understanding that keeping it incurs additional risk. Extra measures must therefore be taken to reduce that risk. It still happens far too often that personal data gets included within a larger bulk of data. That means it’s sent back and forth unnecessarily and may be visible for too many people. A good example of where this happens is via the many Excel export possibilities in software platforms.
Awareness is also very important of course. That may sound obvious, but for many employees, such issues are far removed from their field of work. It is definitely recommended to run regular, repeated data security and privacy training for staff. Note that we send specific employees on yearly BHV (Health and Safety) training - the power of repetition is crucial for privacy, even if such training is not mandatory. Moreover, this should be a permanent fixture within a larger plan, so it really is part of the organization's policy.
In addition to awareness and organizational changes, supporting software exists that can drastically reduce human error. Microsoft Azure is a good example. Azure offers "Azure Information Protection," a tool that can encrypt information and automatically assign information classifications to a document. It’s able to recognize sensitive data in a document. From there, rights can be assigned to users within your IT environment. A specific person could, for example, view highly confidential data, but printing or forwarding it would be blocked.
Sentia can help organizations to set up and manage the complete, but more importantly, business-critical, IT environment. Every day, we help customers in the context of end-to-end unburdening by supporting the implementation of various tools and processes. The salient common goal is to optimize every aspect of a customer's IT environment and make it more secure. During implementation, it’s also important to reflect on design, possible alternatives and ease of use. We lead the way!