In our digital age, protecting confidential data is one of the biggest challenges for businesses of all sizes. Last year, thousands of breaches in data security were reported and billions of records were exposed.
Malicious cyber attacks including malware, phishing and “denial of service attacks” make news headlines, but nearly half (49%) of data breaches are caused accidentally. Data breaches caused by human error and system glitches, cost companies an average of $3.50 million (£2.69 million) and $3.24 million (£2.49 million) respectively, according to the Ponemon research.

Accidental breaches, often referred to as social engineering, can be caused by an employee leaving a laptop on public transport, opening an infected email or being tricked into giving information to a crafty hacker. Common types of social engineering include “phishing” (emails pretending to be from legitimate organisations) and “pretexting” (when a criminal pretends to need information from an employee to confirm the identity). Social engineering scams – such as strangely worded requests from strangers promising large amounts of money in return for a loan – used to be easy to spot. Now they seem more realistic.“[Phishing documents may] look like invoices or invitations to tender or look like it comes from an internal department in your business, for example, fire alarm testing, ‘click on this to see the new schedule’,” says Rob Bamforth, a technology analyst and marketing consultant.

The other main type of accidental data breach is caused by misconfigured hardware or software, in which security safeguards aren’t activated.

A growing amount of computing power is stored online, in the cloud. If cloud servers are misconfigured, hackers may be able to able to view the private company data. An increase in employees using their own smartphones, laptops and tablets to access company IT networks, is also creating security challenges. Hackers target these devices because they usually have less security software than devices supplied by a company IT department. 

Educating employees about security risk, security software and restricting access to IT systems should be part of your security safeguards.

Here are some tips:

New technology such as “threat intelligence gateways” which sit outside company firewalls and block potential cyber threats from entering a company network, can spot and block cyber threats. A gateway can block traffic from certain countries that are not expected to communicate with a business.

If data is lost or leaked, encryption technology can protect it. If data is changed from plain text to an unreadable “cipher” text, it’s almost impossible to unscramble and read. There is lots of encryption technology available, for example, Samsung Knox , which is built into every Samsung device from the chipset up, and encrypts your data at every level.

Restricting employees’ access to IT systems can also reduce the risk of accidental data breaches. Under a concept called “zero trust”, employees only have access to certain IT systems. They can only access the systems after their identity has been verified and their device’s security has been checked. Jason Dowzell , CEO and co-founder of Natural HR, a software supplier, says businesses should do frequent audits of their security processes. “Check when people access data within your business, when they run reports [and] download information ... Doing so will help in identifying any inappropriate activity and could possibly avoid a much larger, more damaging IT security breach.” A customer of Natural HR had a security incident, in which an IT worker at the company accessed an internal database that included employees’ salaries. The employee used this information as “evidence” that he was being underpaid. In many companies, IT teams are “super users’” who have access to all IT, including confidential employee information. After the security incident, the company changed its “super users” to HR. (There are also controls about who in the HR team can see, for example, directors’ salaries.)

Educating staff about IT security will be more effective if done regularly − for example, with a consultant acting as a hacker and doing a safe simulation of a phishing or other cyber attack. (This could include trying to trick employees into giving away sensitive data or downloading something dodgy.)

Tracking who is accessing data and from where, will get harder when fifth generation (5G) mobile networks are rolled out. Employees may use wi-fi to access sensitive corporate data, bypassing a company network’s security. This − plus an increasing number of Internet-connected devices − may increase the risk of accidental security breaches if business networks and IT systems are not monitored closely. Businesses should also keep an eye on “deep fake” texts and videos, which can trick employees into giving hackers confidential information, or access to corporate IT systems. Accidents will always happen. Fortunately, they can be rarer through common sense, security software, training staff and regular tests of security technology and procedures. The threats may change but the precautions will remain similar.