We read almost constantly about cyber security issues and sophisticated attacks that have breached organisations’ defences. And with GDPR now having come into effect, the information security regulator, the ICO, can levy large fines for breaches or for failing to take proper care of customer and personal data.
However, the biggest cause of data breaches is something much simpler and closer to home. It’s human error. In fact, the ICO has said that over 85% of breaches are due to human mistakes.
This can affect organisations large and small. One notable case that the ICO ruled on over the summer involved Gloucestershire Police, one of whose officers sent an update email concerning alleged victims of child abuse. The officer meant to ‘blind copy’ all the recipients so that people couldn’t see each other’s names or email addresses, but accidentally put all the addresses in the visible ‘to’ field. The force was fined £80,000 by the ICO.
Something as simple as email error is, in our experience, one of the most common mistakes made. It could be a case of not blind copying or it could simply be sending an email to the wrong address. We all know that these things can easily happen, especially when someone is under time pressure or multi-tasking doing something else. But if an incident like this leads to the leaking of someone’s personal, sensitive data then the consequences could be serious, however innocent the mistake.
Other common human error issues include staff simply disclosing too much or inappropriate information. This could happen over the phone – it doesn’t have to be electronically in writing. For example, if someone phones a hotel or holiday park claiming to be a guest’s friend or relative – the natural instinct in a good staff member will be to help them and tell them what they want to know. Most of the time this will be harmless – but it could end badly if someone has negative intentions.
Other issues straddle the boundaries between human error and systems weaknesses. For example, staff clicking on fake links in ‘phishing’ emails which then introduce a virus or allow access into systems full of data. This is both an error by the staff member and also a system weakness because if software defences are installed then the damage should be prevented or limited.
This is why it’s vital to ensure that staff have the training they need around cyber security and GDPR/ data protection issues. Staff are your first line of defence, and awareness of the issues is key. At nuBright, a joint venture between Stephens Scown and Bluegrass Group, we offer accessible and straightforward training that can help.
When businesses stand back and look at their processes, they often find that it’s not just a compliance issue: there are improvements they can make that create a more efficient business. There are real returns in getting on top of the GDPR, as well as helping keep your business out of a very unwelcome spotlight.
Robert Camp is managing partner of Stephens Scown LLP and a director of nuBright, the firm’s joint venture with Bluegrass Group. To find out about GDPR training visit www.nubright.co.uk, for more about legal services go to www.stephens-scown.co.uk.