The recent data breaches at Capital One and National Australia Bank (NAB) reinforce the evidence that human error represents a serious threat to organisations in finance.
In the 12-month insight report about the Notifiable Data Breaches scheme, the Office of the Australian Information Commissioner (OAIC) disclosed that 35 percent of all reported breaches resulted from human error.
The financial services sector reported the second-highest number of data breaches in the 12-month period covered by the report, trailing only the health sector. Additionally, 41 percent of those financial breaches were related to human error.
The numbers attributed to error are likely higher if we consider that external attackers are taking advantage of these mistakes in order to gain access and steal data. Errors include system misconfigurations, inappropriately stored – or shared – data (example: S3 buckets containing sensitive data configured for public access are commonplace), or the use of weak system passwords.
Rather than malicious insiders, these errors are made by trusted users who make simple and avoidable mistakes. With the right tools, paired along with security best practices, breaches could be easily avoided.
Financial customers must be confident that their selected bank is protecting their highly sensitive information. While many are paranoid about banking fraud or card fraud, compromised identification documents can be more jeopardising to an individual if this type of data falls into the wrong hands.
In the case of Capital One, the misconfiguration of a cloud server in AWS was to blame, while the breach at NAB resulted from an employee mishandling data. While hacking and malware consistently rank among the most common causes of breaches, careless and malicious insiders remain a top concern for companies.
People make mistakes, but organisations need to do what they can to identify and prevent these mistakes from leading to harm.
Culture: It’s important for a company to promote a culture of managing data with care, and for its employees to understand the value of information. This has to transcend the organisation and come top-down.
Policies: Define and communicate clear policies around data privacy and the protection of information. This should form part of ongoing cyber awareness training for users.
Controls: Use controls to monitor and flag questionable – or higher risk – user activities, as well as ones that can identify when data is being inappropriately stored or shared.
The problem with the insider risk is that the users have legitimate credentials and privileges; they are meant to be where they are, doing what they’re doing. This can make it challenging for an organisation to defend against a problem proactively.
As crucial as it is, employee training should be one piece of a multi-pronged approach to security that includes tools like encryption of data at rest, multi-factor authentication (MFA), and more.
Data at rest in information technology means inactive data that is stored physically in any digital form (e.g. databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices, etc.).
Because of its nature, data at rest is of increasing concern to businesses, government agencies, and other institutions. Mobile devices are often subject to specific security protocols to protect data at rest from unauthorised access when lost or stolen, and there is an increasing recognition that database management systems and file servers should also be considered as ‘at risk '.
The longer data is left unused in storage, the more likely it might be compromised by unauthorised individuals outside the network.
Organisations focus swathes of time and resources on external threats, but their sophisticated perimeter and endpoint controls are of limited value when sensitive data is being stored or accessed off premises.
For both financial and productivity reasons, SaaS has become the preference of many enterprises today. Many of these services allow the open sharing of data files, and often, this setting is on by default.
Overall cyber resilience and defence could be improved if more focus is given to internal risks around data privacy and security.