The document discusses how many data breaches are caused by human error rather than advanced hacking. It identifies risks stemming from careless email use, like falling for phishing scams, using work email for personal matters, and not backing up emails properly. Other human errors include losing devices containing unencrypted data, failing to delete old data, sharing account credentials, employees stealing data, and general carelessness. The conclusion states that while technology can help, the most important precautions are training, policies, encryption, and common sense.

2. OVERVIEW
• News stories every day – exposure of private company
information
• Not advanced technology or genius hackers but…
• “Human Beings, Being Human”
2

3. RISKS STEMMING FROM…
A. Careless Use
Of E-Mail
B. Other Aspects of
Human Error

4. A. CARELESS USE OF EMAIL
1. Employee Vulnerablility to Spear Phishing Attacks
Fraudulent email intent on gaining data/information - much more focused
than traditional Phishing
Example: 2008 District Court Subpoena Scam
Solutions:
• Education
• Messaging Intelligence
• Phishing Filter
• Avoiding Embedded Links
• Increased Sensitivity of Spam Filters
4

5. A. CARELESS USE OF EMAIL
2. Use of Company Account for Personal Use (and Vice-Versa)
Lack of distinction between the company account and personal
account can lead to embarrassing or disastrous consequences
Example: Anonymous - Sarah Palin, 2008
Solutions:
• Policy of separate accounts for personal and
work use
• Ban on internal “chain mail” on company
accounts
• If absolutely necessary to use personal
account for work purposes, encryption must
be used
5

6. A. CARELESS USE OF EMAIL
3. Avoidable Loss of Old E-mails
It‟s often assumed that once an e-mail is stored in an account that it is
safe forever.
However e-mail accounts can crash leading to loss of all data which
hasn‟t been backed up.
Example: G-Mail Mishap, 2006
Solutions:
• Manual e-mail backup on cd/storage device with
strict back up schedule.
• Purchase of automated backup software to take
care of backups automatically
6

7. A. CARELESS USE OF EMAIL
4. Mis-use of the “Reply All” Button
One of the most common mistakes made by individuals regarding e-
mail error which can result in sensitive or embarrassing information
being sent to unintended recipients.
Example: LA Police Dept. Controversy, 2012
Solutions:
Many e-mail providers offer a number of preventative
means,
e.g. Outlook:
• Option to remove “Reply All” button
• Option of 30 second lag on all e-mails
• Option of an alert warning the user that “Reply All”
has been selected
7

8. A. CARELESS USE OF EMAIL
5. Over-Dependence on E-mail (especially for discussion of
sensitive info)
E-mail is often seen as an “easy way out” communication tool providing a
quick fix. The short term relief, however, does not outweigh the potential
problems including clogging of internal email systems.
Also problematic is the use of e-mail for sensitive corrospondence more
suited to aNavio Computer‟s to face meeting. System,
Example: phone call or face Clogged Email
2011
Solutions:
• Ban on unnecessary internal e-mails
• Alternative cloud-based collaboration tools
• FtF meetings and phone calls to discuss sensitive
info
• Encryption if sensitive info MUST be sent via e-
mail
8

9. B. OTHER ASPECTS OF HUMAN ERROR
1. Loss Of Laptop/Other Device (Containing Unencrypted Data)
Theft/Loss of a computer or other data storage medium made up 35%
of all data breaches in 2012. Such theft/loss can cost a company
hugely in monetary terms as well as image, competitive advantage and
consumer trust.
Example: Dept. of Veteran Affairs Database Theft, 2006
Solutions:
• Education of employees around device and password
security
• Immediate notification of loss or theft
• Encryption of all sensitive company data/info
• Device Management Consoles – monitor, set , enforce
polices & remotely wipe devices
9

10. B. OTHER ASPECTS OF HUMAN ERROR
2. Failure To Erase Data When No Longer Required/Permitted
It is generally good practice to destroy old info/data that is no longer
required, to free up disk space.
More importantly, many sectors are governed by laws prohibiting retention
of certain info after a specific time period.
Example: Affinity Health Care Digital Copier Mishap,
2010
Solutions:
• Policies regarding deletion of old emails, messages,
call logs & files
• Strict reviews of data on all devices on regular
continual basis
• Education of staff around safe destruction of old
data
• Device Management Consoles (again) for remote
wiping of lost/stolen devices
10

11. B. OTHER ASPECTS OF HUMAN ERROR
3. Sharing of User Account Details and Passwords
Password sharing - convenient & cost saving in relation to certain
systems.
Can widen potential for unauthorised access, especially when people
leave the company.
Example: Lincoln National knowing whoAffiliate into what and when
It also prohibits mgmt from Securities logged
(audit trail).
Access, 2010
Solutions:
• Assign usernames and PW‟s specific to
individual users & grant/revoke permissions
depending on what these users require
• Policies demanding „strong‟ PW‟s & mandatory
routine for changing PW‟s
• PW‟s should be changed when duties are
reassigned or employees leave
11

12. B. OTHER ASPECTS OF HUMAN ERROR
4. Data Theft By Employees/Former Employees
Employees gain access to numerous systems through their employment
including email accounts, HR payroll systems, etc.
Often Companies do not prioritise the practice of updating user access &
privileges when employees leave the company, opening the door to data theft by
disgruntled former employees.
Example: Fidelity National Information Services Data
Theft, 2007
Solutions:
• Policy of updating access and privileges when
employees leave the company
• Purchase of systems to simplify the user
provisioning process
12

13. B. OTHER ASPECTS OF HUMAN ERROR
5. Use of company laptops outside of work / personal laptops in the
workplace
Ideally should never use the same device for both – if company laptop MUST
be used, they should never be left unattended or connected to unsecure
Example: Saudi Aramco Virus Infection, 2012
networks.
Solutions:
• Separate laptops for home and work except when
absolutely necessary
• Password protection & no sharing
• Deletion of sensitive information when no longer
needed
• Restrictions of the type of data allowed outside the
workplace
• Encryption of all sensitive information
• Restrictions on connection to unprotected
networks
13

14. B. OTHER ASPECTS OF HUMAN ERROR
6. General Simple Human Carelessness
By our nature, humans will suffer lapses in concentration or oversights.
In business, carelessness like failure to double check standards or erroneous
publication of data may have disastrous consequences.
Example: AOL Release of Search Data, 2006
Solutions:
• Education of employees about their
responsibilities regarding data security and the
use of technology to avoid data breaches
• Preparation & implementation of data breach
policies and response plans
14

15. CONCLUSION
• Data breaches not necessarily associated with new technologies
and genius hackers
• Reality: Many can be associated with human error
• Ponemon: 78% - “human negligence or maliciousness”
• Many breaches can easily be avoided
• Precautions can be aided by technology but
old familiar security fundamentals are key:
• Training & Education
• Policies, Revisions & Analysis
• Data Encryption
• Common Sense & Sound Judgement
15