Human Error And Data Breaches

In a time known for cyber hackers, a majority of suspicion for any security breach has been to look to external forces, often on an international level. Cybercrime in South Africa has been at such a scale, that the government instituted the Popi Act (Protection of Personal Information). However, based on a new study, it appears that a majority of the system data breaches originate on the ‘human error’ level.

A study done by the BakerHostetler Privacy and Data Protection Team resulted in a report that indicates 36% of the data security incidents in 2014 were caused by employee negligence. For those situations that had identified detection dates and notification, there was an average lapse time of 134 days from the occurrence of the incident to detection.

Additional information from the report that is worthy to note includes:

  • Based on the required notification laws, 58% of these incidents required that the affected individuals be notified.
  • Of the seventy five incidents that involved the mailing of notification letters, only five of the companies had any litigation from those individuals that were potentially affected.
  • Of the security lapses, not all of them involved electronic record cyber hacking. Paper records were involved in 21% of the cases.
  • In situations that involved stolen credit card information, the fines ranged from $5,000 to $50,000 per matter.

The new Popi Act in SA, was set in place to establish ground rules and guidelines for companies to accommodate to help in ensuring secure data. However, very few SA companies have followed through in protecting personal data from security breaches. Trustwave research shows that 51% of SA companies have not stepped up to the plate to make any significant efforts for compliance. It is believed that SA companies will not take the privacy law seriously unless there is a high-profile security breach.

When you combine the results of both research areas it creates a recipe that leans toward the fact that more SA companies will experience data security breaches, with many caused from internal staff sources.
According to the Blackberry Regional Director for Product Security, Middle East and Africa, Nader Henein, “In South Africa you see concerns around…not the malware side or attack side”….” The biggest concern is coming from consumer based applications in an enterprise context.” He continued to use the WhatsApp as an example that saves all of the corporate contact data and could be accessed, uploaded to various data centers and then sold off to interested parties.

Sharon Knowles, CEO of Da Vinci CyberSecurity says:
“There has never been a more important time for companies to work with a professional security company for both a system analysis and employee education. Many of the data breaches that are caused from internal situations are the result of a lack of awareness; other circumstances are preplanned. Da Vinci CyberSecurity  works in conjunction with SA companies to identify potential problems as well as work with staff on an educational level. The financial loss involved in lengthy time durations between discovery and action can be a significant loss to a company. Da Vinci Forensics coordinates on multiple levels, to help protect against the loss of proprietary data.”

Da Vinci CyberSecurity offers an Internal It compliance Review service.

*** Sources***
Drug Store News