Carelessness is the culprit
A three month study by the Information Commissioner's Office (ICO) has concluded that the majority of privacy breaches reported to it were the result of carelessness and human error.
The ICO looked at 335 data incidents, and whilst these figures relate specifically to possible breaches of the Data Protection Act, they are probably a mirror of what happens in the wider world of commercial computing in the UK. 52% of the incidents could be described as carelessness where personal data had been disclosed in error. That included emails containing sensitive data being sent to the wrong email address, or inadvertently copied to lots of people, and personal data being erroneously included in response to freedom of information requests. The incidents which attract press coverage, such as losing the paperwork by leaving it the train, having it stolen, insecure disposal of documents, or losing papers in transit, are all much less common than you might expect, and together they account for less than 20% of incidents. Even rarer is disclosure of data due to hardware theft or incorrect disposal of equipment, amounting to about 10% of all incidents reported.
Interestingly there were just seven cases over the three month period where personal data had been uploaded to a website. Whilst this is a small number overall, it has the potential to be a very public mistake. One would think that the managers of the organisations involved would be very aware of the disclosure potential of websites and have some sort of cross-checking system in place to ensure more than one pair of eyes looks at documents before they are published. However, experience tells us that many organisations focus far too much on the technical aspects of content management, and far too little on managing and quality checking the information.
It might surprise you to know that "technical error" was to blame in only about 8% of cases. This could cover a multitude of sins such as forgetting to turn on the password protection for a sensitive area of a website, encryption of data with an easily-guessable key, failing to protect against known flaws in content management systems, overwriting a file or hardware failure. Whatever the reason, it probably goes against expectations which are fuelled by the endless diet of Hollywood images where every computer is hackable in a few keystrokes. The reality is that most programmers can tell you horror stories of clients who demand security which would challenge the NSA, but then insist on using their name spelt backwards as their password, and saving their password on their laptop so they don't have the hassles of typing it in every time.
The message from this study is clear. Whilst technology is far from perfect, it is human error, not computer faults, which are the biggest source of security breaches. You cannot simply delegate security to the computer. Focusing on the human link in the chain still gives the best return.
28th August 2013
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.