This week, we saw a further reminder of why human error accounts for the majority of data breaches in the UK. A (now ex) employee of Newcastle Council unwittingly sent the details of thousands of children and their adoptive parents via an email attachment pertaining to a party invitation. The details included names, addresses and birthdates of adopted children – and the ICO is investigating.
For all the justifiable furore over malicious data breaches, it’s often forgotten that actually almost two-thirds (62%) of the incidents reported to the ICO last year were accidental – human error is by far the most significant factor in data breaches. However, it’s also the easiest to fix. We just need technology to apply a helping hand to robust processes. Mike Constantine, CTO at GCI explains how.
What are the key learnings from these incidents?
We must remember that humans are always the weakest link in the chain. There’s still a misconception that hacking is the biggest threat with regard to an organisation’s data. Although of course that’s a very real danger, the single biggest cause of data falling into the wrong hands is people just making mistakes – and the ICO numbers above back this up.
The situation is getting ever more complicated. Organisations increasingly have complex supply chains, this can include trusted third parties like contractors, agency staff, partners, and other suppliers. So, it’s not just ‘regular’ staff that have access to confidential data – in many cases processes and policies have not evolved to take account of this changing picture.
The issue now is that if you’re an organisation that holds personal data (i.e. pretty much every company or public sector body in the UK) you’re breaking the law by not protecting it. The existing data protection act is stringent but from next May, GDPR will beef this up substantially with fines of up to €20 million or 4 per cent of global turnover.
So, what can organisations do on a practical level to protect their data?
It’s important to classify each and every piece of information they hold and build the appropriate access permissions around it. We can learn a lot from how the Government classifies information with categories assigned to ‘official’, ‘secret’ and ‘top secret’. Each profile comes with a set of personnel, physical and information controls governing how it should be treated. Of course, each organisation needs to adjust to suit their needs but the fundamental principles are the same.
At a practical level, it means locking down sensitive documentation and putting controls around who can read, modify, and open information. Looking at the Newcastle example, if the document had been protected in this way, damage would have been limited as only those authorised to see the file would have been able to view it.
How widespread is the problem?
Very widespread. Big incidents like Newcastle make the headlines but there are plenty of other smaller issues that cause concern in organisations every day. The impact of digitisation is also at play here (as well as supply chains). Most organisations (if they’re being honest) have lost track of where their information is. Employees for instance, routinely put company information in cloud storage services, or send to personal email, put in USB devices etc. They’re not necessarily doing it for malicious reasons, indeed many are doing so to (for example) work from home or on a different device. Regardless of the reason, firms have lost control of that data.
How can technology help?
It’s important to say at the outset that technology is only as good as an organisation’s policy. Before firms even think about the technology they need to ascertain the following:
- Where is your data? Remember the points about supply chain and digitisation.
- What data do you keep? To the point made about classification of data.
- How do you control it? Think about information or access is restricted (or not).
Only after these points get considered can we come to technology. There are various solutions on the market but personally, I favour Microsoft Azure Information Protection and the Enterprise Mobility + Security suite. The former allows firms to classify documents easily (and automate the process of doing this to legacy files). It means that documents can be watermarked and rules applied on who can read, write, modify, and print files. It can also set controls on emailing outside a set group of users. The latter is very useful for security monitoring. By looking at suspicious logins it can help prevent hacking into an organisation. It’s also very good at enforcing password policies – if someone logs in from London then five minutes later in Edinburgh it will know that something is awry and flag the issue. Another key feature is mobile device management – if your employee loses their device on a train (for example) then it can be remotely wiped in seconds.
But back to my point, technology is not a substitute for a robust security policy – it must work hand in hand with it.
Come and talk to us about our managed solution for Enterprise Mobility + Security and let us help you make your organisation secure and productive.
Mike Constantine is Chief Technology Officer at GCI.
Mike’s technology department embraces the product management and pre-sales functions.
Mike and his team aim to plug the technology gaps that our customers face and help them to see through the “fog” as they shape their business improvement strategies. His stated focus is to ensure GCI pick the right solutions, demystify and translate those solutions into plain English business benefits, make the commercial arrangements simple and compelling.