Human Error: The Hidden GDPR Threat
The majority of incidents are due to human error as opposed to hacking or malicious internals.
By Morten Boel Sigurdsson, CEO, Omada
Human Error: The Hidden GDPR Threat
It is now just over four months since the introduction of the GDPR, a legislation which has fundamentally altered how organizations and citizens alike both see and handle privacy data. GDPR has added yet another layer of risk for organizations and since the introduction of the legislation, many breaches have seen the light of day. But what is the main lesson from these incidents? Which risks are organizations facing in the new era of GDPR? And is there a clear weak link that organizations should be paying closer attention to?
The GDPR is a new situation which companies need to adhere to and which increases companies’ risk associated with incidents. When companies come to us seeking advice, we structure our dialogue by grouping organizations’ challenges into four categories; 1) the increase in traditional compliance demands, 2) the rise in hacking activities, 3) internal data theft, and 4) human error. All four now have an added layer on top, a layer which acts as a multiplier in terms of risk: GDPR.
For organizations, this means that it has never been as important to pinpoint and subsequently address the causes of these risks as now.
To err is human
Looking at the many incidents which have been reported, one thing becomes clear: the majority of incidents are due to human error as opposed to hacking or malicious internals. “To err is human” as we all know.
Human error is behind a staggering amount of the recent data breaches, yet an often-overlooked risk for many companies. The danger of both irresponsible and uninformed employees is one to take note of, as last year’s highly publicized WannaCry incident goes to show, where human error played a key role in one of the largest cyber incidents in recent years. Employees may be uninformed, they may be careless, or their actions may be malicious, but most it seems, it is just down to pure human nature – human beings make mistakes. And hackers prey on these mistakes. This is a significant threat to pay heed to, not least of all in today’s GDPR era.
According to a report from Willis Towers Watson, human error was behind a staggering 90% of all claims the consultancy had examined in the wake of data breaches, with external threats and extortion thereby being much less common than previously thought. In the most recent IBM Cyber Security Intelligence Index, this number is even higher, with the report stating that 95% of all security incidents involve human error. Another report cites 66% of data protection and privacy training professionals as believing employees in their organization as being the weakest link.
Internal is now external
Previously, several incidents reported today, would just have been fixed internally without reporting to authorities or notifying the data subjects. If, for instance a human error had resulted in a wide open OneDrive or an FTP Server containing PiD (Personal Identifiable Data) exposed to potential misuse by people that should have absolutely no access to the data, the ‘hole’ would just have been closed.
Today, internal incidents are most often made public, to comply with the GDPR. This means that whether or not the incident is significant or causes any damage to any data subjects, the company in question is damaged reputationally, as the breach is publicized.
Human error (or negligence) is the most common source of data breaches, according to the research. Human beings always have - and always will – make mistakes. To limit the human error risk, access to data residing on Fileshares, OneDrives and other data containers must be reduced to fewer people on a ‘need to have access’ basis. By introducing an Identity & Access Governance solution to manage digital identity and access rights across multiple systems and applications, organizations can limit the risk of human error. IGA solutions ensure that only the right people get access to the right resources at the right times for the right reasons. IGA solutions govern access to Pii Data from a ‘least privilege’ perspective. This means sensitive PiD will only be accessible to the limited number of employees that need access to do their job, and an audit trial of who had access to the data is available. Which again limits the risk of human error leading to a breach that has to be reported.
If you would like to learn more, read our best practices e-book for a successful identity governance and administration project and help your organization limit the threat of human error.
Omada | October 2018
Omada CEO Morten Boel Sigurdsson has more than 25 years of experience providing innovative IT related services and solutions for large global organizations. He has a background from SAP and A.P. Moller Maersk.