back to article Stupid humans and their expensive data breaches

UK data breaches are increasingly being traced back to human error, despite the growing emphasis on data protection. A Freedom of Information (FOI) request to data privacy watchdogs at the Information Commissioner’s Office (ICO) revealed that a quarter of reported data breaches during the first three months of 2014 were caused …

  1. chivo243 Silver badge
    Facepalm

    occurred as a result of technical failings?

    In the end, aren't all breaches due to some human action, mis-action or non-action?

    The documentation says to to it that way, well some human writing the documentation made a mistake.

    I mis-understood M$'s group policy language gymnastics. I disabled something, now users are able to do something?

    What? No human changed the default settings?

    1. Tim 11

      Re: occurred as a result of technical failings?

      Agreed 100%. Even if it was a hardware failure, and even if the hardware failure wasn't a design or manufacturing defect, ultimately it was a human who chose that hardware and had an unrealistic expectation of it.

  2. TrishaD

    Training

    “What these statistics demonstrate is that training alone is not the answer,”

    I dont think that the problem is that people dont care but that they dont care enough. While training might make people aware, it wont scare the bejazus out of them (which is one of the things that makes people actually think) because they're not personally liable.

  3. Ole Juul

    It's poor workman that blames his tools

    “What these statistics demonstrate is that training alone is not the answer", according to Pepper

    I disagree. I think what this demonstrates is that human error is the biggest problem. More secure software can no doubt improve the situation but training is still at the top of what needs to be looked at. However, I imagine this fellow would rather avoid the training and buy more software instead.

    1. Trevor_Pott Gold badge

      Re: It's poor workman that blames his tools

      You can change human nature if you just boss them around hard enough? News to me.

  4. David Roberts

    Encryption?

    O.K. This is a bit of puff for an encryption firm.

    However nearly all the reported problems are due to the information being sent to the wrong person.

    Inside the business with encryption if you send information to the wrong person then you also encrypt for the wrong person.

    Sending to the general public you decrypt first.

    So how does encryption help?

    Surely encryption can help with a data breach but not human error in sending to the wrong person.

    1. frank ly

      Re: Encryption?

      If I am sent data in error and that data is encrypted, how can I see it if I don't have decryption processes and the decryption key? That would be the point of encrypting data for security in the event of sending it to the wrong person outside an organisation.

      Within an organisation, there would be less risk in case of accidental sending to the wrong person, but you could compartmentalise by division/department etc. as far as was thought to be needed.

      1. hayzoos

        Re: Encryption?

        S/MIME email clients always encrypt to the recipient(s) in the To: field so you would have the private key for the encrypted email even if your were not the intended recipient.

        The article title suggests mass data breaches with the word expensive. The causes cited don't seem to be mass data breaches. In order for this class of data breach to be expensive relative to all data breaches, there must be massively extensive occurrences of these individual record breaches.

        Of course the Excel spreadsheet lists of employee, customer, or admin password data inadvertently exposed to the 'net through a rouge and/or poorly configured web server does begin to reach the volume of a mass data breach.

        So, what do you think the chances are the encrypt everything software will be configured and/or used properly? I foresee key distribution creep. Example: The receptionist needs access to such and such, so needs the key to decrypt employee database (in Excel) to lookup whose car has a flat tire.

        1. Anonymous Coward
          Anonymous Coward

          Re: Encryption?

          It should start by teaching people Excel (or any other spreadsheet) *is not a database"....

    2. Phil O'Sophical Silver badge

      Re: Encryption?

      So how does encryption help?

      If I encrypt some data with your public key, and then accidentally hit "Reply All", at least the data that went to the wrong people isn't accessible by them.

  5. Anonymous Coward
    Anonymous Coward

    Ofter, it's not mistakes, but laziness

    In my experience, often problems arise not from "mistakes" - people trying to doing something and doing it a wrong way - but from "laziness" - people avoiding to do things they should do, for fear of mistakes - often regarded more dangerous than a data breach, lack of resources, lack of proper skills (often due to outdated ones), lack of system knowledge (it was setup by someone else years ago, noone touches it for fear of broking it...) or pure real laziness. Or a combination of all those factors.

    As long as too many people in charge of systems believes that "if it works, don't touch it", that 99.99% uptime needs to be reached with a single machine setup, that everything you learnt 15 years ago is still fully valid as if nothing changed meanwhile, that it's OK if someone sets up a system and nobody else knows anything about it, and responsibilities needs to be avoided at all costs thereby doing nothing is better than risking a mistake, well, there will be no technological solutions but full AI robots...

    1. Jonathan Richards 1

      Re: Often, it's not mistakes, but laziness

      Yes to that, and also sometimes sheer bloody-mindedness. When training people to be responsible personal data users, I've sometimes been told "We don't have time for all that nonsense; if X asks for the data, I'm going to send it", or "Yes, but I just have to email that spreadsheet home to work on it at the weekend". These aren't errors of the 'Ooops, didn't mean to do that' sort, they're errors knowingly committed by people who are, as TrishaD says above, insufficiently terrified of consequences.

  6. Where not exists

    Article Summary

    To err is human, but to really screw things up, you need a computer!

    1. Mark 85

      Re: Article Summary

      You can add to that: "Stupid is as stupid does."

  7. ecofeco Silver badge

    Gee what a surprise

    No surprise here. Between accounting constantly crippling the IT dept to the users doing their best to ignore the rules (I'm looking at you C suite) and some alpha basement bois set in their ways, it's a wonder there aren't more breaches.

    1. Anonymous Coward
      Anonymous Coward

      Re: Gee what a surprise

      Ha. If the IT department didn't constantly and ignorantly try to cripple the working practices of everyone else in the organisation, the rest of us wouldn't see it as a personal challenge and point of honour to circumvent their restrictions as fast as they introduce them.

      Insist on an encryption system which only works with Windows and one model of USB stick from one supplier? Why yes, we will find ways round it. There are more of us than there are of you, and we're cleverer too.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like