The Human Factor – minimising the risk to your information from human error

Lost laptops or disks, saying the wrong thing loudly on the phone on the train, leaving a folder of sensitive customer details in the pub – all can have a serious impact. People make mistakes. This article gives advice on what you can do to minimise the risk of human error.

Social Engineering is on the rise

“People are the weakest link at any level of security,” says hacker quoted in BBC article

People are often the weakest link to securing information within an organisation. Social engineering, where users are duped into giving away their passwords or other sensitive information has always been the easiest way to get information.

A report by Computer Weekly (September 2011) found that less than a third of UK businesses provide regular training aimed at preventing social engineering attacks, despite 42% being hit this way in the past two years, at an average cost of £15,000 per incident.

Often, security incidents arise because of a failure to comprehend the risk. Awareness and personal responsibility in protecting the organisation against information incidents is key. This awareness needs to permeate the entire organisation so everyone understands their relationship to information risk and their responsibilities.

Security awareness programmes and training should be an ongoing function – from induction to regular training and updates.

The following story illustrates how a simple lack of awareness of security risks by a children’s hospital resulted in a full scale data security breach, in addition to the payment of damages and jail for one unsuspecting man.

The story of the jealous boyfriend

An Ohio man sent an email to his girlfriend that contained spyware because he thought she might be cheating on him. The girlfriend opened the email on her work computer and the spyware installed on her work system rather than her home system. As a result her boyfriend began to receive copies of her emails, which included sensitive medical information. This constituted a data security breach on the part of the Children’s Hospital where his girlfriend worked.

Whilst the man was caught and jailed for up to 5 years in prison and was forced to pay $33,000 in damages to the hospital, the hospital could have done much more to eliminate this risk.

Lessons to be learned:

    • Allowing access to home email from work IT systems increased the risks and additional protection was required.
    • Anti-virus/anti-spyware software might have prevented or identified the spyware and alerted the systems administrators.
    • ‘System hardening’ could have helped.
    • The breach was likely caused by poor policies and procedures within the hospital and a lack of training for the staff. Make sure all staff are aware of what constitutes sensitive information and that such information has adequate levels of protection.
    • Never send sensitive information across the internet or by email unencrypted.
    • Don’t spy on your girlfriend!

Article by Dave James, MD of Ascentor

Related articles

avatar

Dave James

Information Risk Management expert and Managing Director of Ascentor

More Posts

Follow Me:
Twitter

Share

3 Trackbacks

You can leave a trackback using this URL: http://www.ascentor.co.uk/2012/04/human-factor-minimising-risk-information-human-error/trackback/

  1. [...] loss or physical theft are less newsworthy but equally dangerous and in some cases more likely. The human factor makes any business particularly [...]

  2. [...] The human factor: minimising the risk to your information from human error [...]

  3. [...] The human factor: minimising the risk to your information from human error  [...]

Post a Comment

Your email is never shared. Required fields are marked *

*
*

Latest Insights

Recent Comments

    • Barry Harvey: It is perhaps surprising to hear that a generation we think of as being tech savvy is anything but....
    • David Conway: I can imagine that, even at this stage, many businesses will still be blissfully unaware of this...
    • Sonja Jefferson: Are you going to be offering that training for ‘normal, non-techie people that now have...
    • Dave James: @Colin Robbins: Yes, Its really illumintaing isnt’t it. Provides a bit of context to the recent...
    • Colin Robbins: Very interesting report. I find it staggering that 26% of companies had not briefed their boards on...
  •  
    Buy Cialis in UK