My Own Devices: Human Error, Cyber Attacks and Data Security

As the importance of Cyber Security becomes more apparent, Data Protection Partner Hugh Goulbourne discusses data breaches in the public sector and how human error may account for a higher proportion than you may think.

It seems that barely a week passes without news of another cyber crime featuring a major public or private organisation.

So far in 2023, the business consultancy Capita (https://www.theguardian.com/business/2023/may/30/capita-cyber-attack-data-breaches-ico) and Royal Mail (https://www.theguardian.com/business/2023/jan/12/royal-mail-ransomware-attackers-threaten-to-publish-stolen-data) have been among the UK businesses badly affected.

They are far from being the only ones.

In addition to being large corporations, the attacks to which both were subjected have generated considerable fall-out for individuals and client firms due to the nature of the material which was reportedly compromised.

That is particularly the case in the most recent "critical incident", which involves not one but two lapses at the Police Service of Northern Ireland (PSNI) (https://www.dailymail.co.uk/news/article-12386577/PSNI-data-breach-Surname-initial-rank-location-department-current-officers-accidentally-published-response-FOI-request.html).

The first saw a list containing information on 10,000 officers and staff inadvertently posted online, something which has presented "serious security implications" and already led to a number of officers being moved from their homes because of fears for their safety.

While grappling with that problem, the PSNI also admitted that it was investigating the theft of confidential documents and a force laptop.

Given the turbulent and very violent history of Northern Ireland in recent decades, the potential personal consequences of such a situation cannot be overstated.

Nevertheless, as someone who advises organisations both large and small about their own data security, I think that the PSNI breaches highlight a very important and rather overlooked element; namely, that most such episodes are not due to technically astute and aggressive foreign governments or criminal gangs.

I certainly don't wish to downplay the threat which either poses. It's just that the available figures bear out what I'm saying.

Those numbers have been published by the Information Commissioner's Office (ICO), the UK body responsible for overseeing that we all - among other things - adhere to data privacy laws.

They show that since midway through 2019, there have been 37,129 data security incidents involving the public and private sector (https://ico.org.uk/action-weve-taken/data-security-incident-trends/).

Just over one-fifth (8,265) of those were classed as cyber-related. The most common theme in those saw the use of ransomware (1940).

Yet compare that to the 9,523 cases in which data was e-mailed or posted to the wrong recipients, the 1,052 instances of someone within an organisation verbally disclosing confidential information by mistake and the 3,527 matters in which documents or devices containing personal material were lost or stolen.

All that amply demonstrates how human error has - in the issues recorded by the ICO over the last four years - created far more problems than cyber crime.

The statistics clearly suggest that data isn't being handled with sufficient care.

Some SMEs might point out that larger companies or government departments have greater in-house provision but a lack or resources or ignorance of one's responsibilities is no excuse.

The ICO's own website has lots of very helpful information which amounts to a primer about what all organisations must consider (https://ico.org.uk/for-organisations/sme-web-hub/how-to-minimise-the-risk-of-personal-data-breaches-happening/).

It will come as little or no comfort to the Chief Constable of the PSNI, Simon Byrne, that his force is far from alone in finding itself under scrutiny for a data breach.

In the last 18 months, seven other police constabularies have been the subject of enforcement action by the ICO for a variety of incidents.

The most recent saw Thames Valley Police reprimanded for disclosing information about someone who had witnessed a crime to suspected criminals (https://ico.org.uk/action-weve-taken/enforcement/thames-valley-police/).

The person concerned had to move address and the risk to safety "remains high".

It could be said that there is little which even the most committed, careful and prepared organisation can do against a determined attempt by a nation state or criminal enterprise to access their systems.

The opposite is true when it comes to human error.

Compliance with data privacy laws is something best achieved by design and default.

By design, I mean that companies need to look at their systems - operations, client contracts, IT infrastructure and staff training - to identify, assess and then address shortcomings using their own staff or specialist external support. By default, I mean that it should be such a regular obligation that it becomes almost second nature.

Looking once more at the ICO's own figures, simple and readily available steps - such as a setting up e-mail applications to ask whether someone really intends to send any or all attachments - can avert a calamity.

Showing that you have taken every reasonable measure to avoid a release of confidential data can be vital in mitigating any sanctions which might be imposed by the Commissioner should the worst happen.

As Royal Mail, Capita and now the PSNI have discovered to their cost, a data breach can be costly in terms of both finances and reputation.

For smaller organisations, a careless keystroke could be the difference between bright prospects and haemorrhaging business.

No-one can predict if they will join the roll-call of victims but, at the very least, they can and should be prepared.

To discuss any of the above further, please feel free to contact Hugh: hughgoulbourne@bexleybeaumont.com  |  07748 803634