The Human Factor – minimising the risk to your information from human error

Lost laptops or disks, saying the wrong thing loudly on the phone on the train, leaving a folder of sensitive customer details in the pub – all can have a serious impact. People make mistakes. This article gives advice on what you can do to minimise the risk of human error.

Social Engineering is on the rise

“People are the weakest link at any level of security,” says hacker quoted in BBC article

People are often the weakest link to securing information within an organisation. Social engineering, where users are duped into giving away their passwords or other sensitive information has always been the easiest way to get information.

A report by Computer Weekly (September 2011) found that less than a third of UK businesses provide regular training aimed at preventing social engineering attacks, despite 42% being hit this way in the past two years, at an average cost of £15,000 per incident.

Often, security incidents arise because of a failure to comprehend the risk. Awareness and personal responsibility in protecting the organisation against information incidents is key. This awareness needs to permeate the entire organisation so everyone understands their relationship to information risk and their responsibilities.

Security awareness programmes and training should be an ongoing function – from induction to regular training and updates.

The following story illustrates how a simple lack of awareness of security risks by a children’s hospital resulted in a full scale data security breach, in addition to the payment of damages and jail for one unsuspecting man.

The story of the jealous boyfriend

An Ohio man sent an email to his girlfriend that contained spyware because he thought she might be cheating on him. The girlfriend opened the email on her work computer and the spyware installed on her work system rather than her home system. As a result her boyfriend began to receive copies of her emails, which included sensitive medical information. This constituted a data security breach on the part of the Children’s Hospital where his girlfriend worked.

Whilst the man was caught and jailed for up to 5 years in prison and was forced to pay $33,000 in damages to the hospital, the hospital could have done much more to eliminate this risk.

Lessons to be learned:

    • Allowing access to home email from work IT systems increased the risks and additional protection was required.
    • Anti-virus/anti-spyware software might have prevented or identified the spyware and alerted the systems administrators.
    • ‘System hardening’ could have helped.
    • The breach was likely caused by poor policies and procedures within the hospital and a lack of training for the staff. Make sure all staff are aware of what constitutes sensitive information and that such information has adequate levels of protection.
    • Never send sensitive information across the internet or by email unencrypted.
    • Don’t spy on your girlfriend!

Article by Dave James , MD of Ascentor

Related articles

You may also be interested in:

Work from home cyber security myths

Cyber security myths home workers fall for

Home workers are a growing gateway to your data and systems. If they believe any of these popular cyber security myths, your security is at serious risk.

Cyber security working from home

Managing good cyber security when working from home - what employers need to know

Home working carries increased security risks, but it doesn’t have to be open season for cyber criminals. These tips will help you put together a robust level of cyber security for your home based employees.

Cyber Essentials is changing - our overview

As the IASME Consortium takes over the management of the certification of Cyber Essentials (CE) Scheme, we look at what the changes will involve and why the scheme is still very much needed.