Cybercriminals are the main culprit
Mention data loss to anybody in business and they will probably make an immediate connection to cybercrime. After all, with all the reports of malware, ransomware and hacking incidents in the news, it’s easy to assume that data compromise is a result of malevolent intrusion into IT infrastructures.
Contrary to popular belief, hackers are not the main culprits. Comprehensive research of small to medium-size businesses (SMBs) across the world confirms that hardware or systems malfunctions constitute 40% of all data loss events. Coming in a close second is human error, to which 30% of all data loss can be attributed. Software corruption, virus and malware, and natural disasters make up the other 30%. Of this cybercrime is only responsible for 5% of all data loss occurrences.
Data loss in the UK
Closer to home the picture does not look much better. According to a Data Health Check Report published in 2017, in the UK 24% of all data loss is through human error. This is 3% more than hardware failure and 5% greater than software or data corruption.
Spend some time now examining the fundamental reasons why people are responsible for data loss including, but not limited to: accidental file deletion, inappropriate passwords, phishing emails, web browsing habits, physical damage and malicious intent.
Accidental file deletion
Top of the list is the risk of losing data by accidentally deleting files without previously having made any backups. Almost every employee behind a computer will update or delete files on a daily basis. Understandably, it is no wonder that they accidentally delete the wrong files or overwrite parts that should have remained intact. Some say that losing information during everyday work is so common that it is not even perceived as a real risk.
Data loss caused by file deletion is a function of not having standardised workflow procedures in place and not implementing reliable backup strategies. Efficient procedures for saving work and making regular backups will save time and a lot of data.
Inappropriate passwords
One of the most common ways that people leave their data vulnerable to hackers is by using inappropriate passwords. Consider this scenario involving a wealthy business person: James is perusing a six-figure portfolio on an account with a leading online securities trading firm. James then realises that he hasn’t changed the password on his account for a while; nine years, actually. On top of this, James’s password is the name of a beloved pet followed by a single number. The password could probably be guessed by anybody following James on social media. For sophisticated password cracking software, it would be a cinch.
James is not alone. The majority of individuals use weak or inadequate passwords, both for work purposes and for personal accounts. Some think that the easiest way to remember a password is by using only one. That’s the quickest route to disaster. Once a successful phishing attack captures that credential, the hacker has the keys to the kingdom. Varying passwords by a single character doesn’t help much either. A cracking programme will detect a ‘13’ just as easily as a ‘12’. Like James, many people use personal information in passwords. Social networks make it a straightforward procedure to harvest that information.
As part of sound data protection practices in your SMB, you need to have a password policy that is enforced and adhered to. The policy should offer guidance to all employees on using appropriate passwords. Guidelines can include:
- changing passwords frequently
- using non-alphanumeric characters within a password
- do not share passwords
- do not use predictable passwords containing personal information
- use passwords with a seemingly random set of characters
- use a password strength checker such as My1Login
Phishing emails
A significant problem caused by poor judgement is for people to open phishing emails, and, more seriously download unknown attachments. You probably know about the guy who wants to altruistically share his wealth with you and deposit £50,000 into your account. It doesn’t end with deceptive phishing. Spear phishing involves customising emails with information such as the target’s name, company and telephone number in an attempt to trick the recipient into believing they have a connection with the sender. The goal is identical to that of deceptive phishing: to lure the victim into clicking on a malicious URL or email attachment and thereby surrendering personal data.
Data loss through phishing is considered such a serious threat that some companies now deliberately send out their own phishing emails in order to teach workers not to open anything from an unknown source. The employee who falls for the phishing trick will see a popup window explaining how they have been fooled and then be offered guidelines for identifying bad emails. Furthermore, SMBs should conduct ongoing security awareness training as a means of keeping their IT network secure and preventing data compromise. Companies should also invest in IT solutions capable of analysing inbound emails for malicious links and attachments.
Web browsing habits
Your SMB probably has policies about internet usage at the workplace, but do your employees really pay attention? It is human nature to be tempted and visit websites that we shouldn’t. These sites, unlike Facebook, Amazon or LinkedIn, are likely to be infected and can compromise the security of your IT infrastructure. By extension, this implies data loss and data protection breaches. This situation is exacerbated if your company allows BYOD whereby individuals can use personal devices to connect to the business network. Quite difficult to stop workers from surfing the net on their own tablets.
Research shows that the best way to overcome web browsing during office hours is to explain the negative impact on productivity and the consequences of data loss. SMB executives are encouraged to empower employees by letting them take control of their web habits. Internet restriction apps are useful for this purpose. For example, Freedom allows users to choose how long they want to be blocked from the internet. Less extreme is AntiSocial, with which users can choose a selection of websites known to be distracting and enable these to be blocked for a set period. Of course, your IT engineers should also apply strict firewalls and website blockers to prevent staff from accessing potentially dangerous sites.
Physical damage
While physical damage isn’t high on the list for causing data loss, accidents do happen. People drop laptops and other devices and damage may even occur to a storage device. While not much can be done to avoid dropping, storage devices should also be placed in a low-traffic location. Most importantly, backup and more backup, especially using the cloud where your precious company data is well out of harm’s way.
Malicious intent
Disgruntled or fed up employees may also be problematic. If somebody has been fired or is soon to leave your SMB, they may well think ‘What have I got to lose?’ and purposefully delete data and files. If you suspect that any staff member is capable of malicious intent, it is best to deny them access to your network by deleting their user accounts and changing credentials. Moreover, any company data should be erased from BYOD devices.
Data loss is unacceptable
With 31% of data loss caused by humans, you are looking at an unacceptable statistic. Clearly, in the UK human error has consistently been the biggest area of concern for organisations when it comes to data loss. Oscar Arean, a manager of the UK business continuity firm Databarracks, believes that SMBs should adopt more of a big business ethos that has more stringent user policies in place to limit the number of damage individuals is capable of causing. Oscar has this to say about how SMBs deal with human error and data loss:
“SMBs fall into the trap of thinking their teams aren’t big enough to warrant proper data security and management policies. Small organisations don’t need an extensive policy on the same scale that a large enterprise would, but their employees need to be properly educated on best practices for handling data and the consequences of their actions on the business as a whole. There should be clear guidelines for them to follow.”
What about aliens?
With human error impacting data loss to such an extent, you don’t need to worry about aliens stealing your valuable information or bringing your network down. There are at least six more threatening factors that should be managed, as you’ve read in this report. Make regular backups, use cloud computing and enforce IT usage policy in the workplace. Don’t let data loss take you by surprise: backup and educate.
