We’re all human. We all make mistakes. It’s inevitable! Unfortunately, there are times when our mistakes have consequences. Sometimes those consequences are small and sometimes…they’re not as easy to sweep under the rug. In this blog, we break down the top 5 ways human error can lead to a potential data breach.
According to a 2020 study by Verizon Data Breach Investigations, approximately 81% of all data breaches are caused by cybercriminals easily hacking accounts that are so-called “protected” by weak passwords. By not adhering to password guidelines, failing to offer password training to your team, and not implementing multi-factor authentication procedures, businesses continue to put their cybersecurity at risk.
With that being said, what exactly constitutes as a weak password? Weak passwords are any sort of phrase or term that is common, short, or something predictable such as the owner’s name, birthday, or the literal word, “password.” Instead, use a longer password made up of a mix of upper and lowercase letters, numbers, and symbols to help keep your password and data safe. Essentially, the more complex the password, the harder it is for cybercriminals to hack your information.
Lack of Cybersecurity Knowledge
In the modern digital age, the world of cybersecurity has only become more intricate and advanced. Bad news? Most of us need to step up our game when it comes to protecting our data. Good news? You don’t have to be an IT wizard to do so!
Here are just a few minor ways to help combat a lack of cybersecurity knowledge:
- Do not use public Wi-Fi without a VPN when accessing sensitive data such as bank accounts, work emails, etc. By not using a secure network or VPN, it’s much easier for hackers to get their hands on your information.
- Interacting with suspicious email links and attachments. Hackers and thieves have only become more creative when it comes to phishing emails. If an email address is a letter or two off or if that email from your boss asking you to purchase gift cards to send them doesn’t necessarily sound like them, it’s always best to either ignore or send to your IT department to investigate.
- Using insecure devices. Whether it is an external hard drive or USB stick, be wary of using just any random external device that could potentially be carrying malicious code designed to steal your information.
Mishandling of Data When Transporting
In May 2006, the U.S. Department of Veteran Affairs announced that a data breach had compromised the records of 26.5 million veterans. Among the private and sensitive information that was stolen were names, dates of birth, and Social Security numbers in addition to other personally identifiable information (PII). The breach was found to be caused by a Veteran Affairs data analyst who had taken computer equipment home that contained the unencrypted information of all 26.5 million affected veterans. The laptop and hard drive were then stolen from the analyst’s home during a burglary which ultimately led to the breach.
Another example of insecure transportation is the 2011 breach of military health program TRICARE. The breach occurred when a TRICARE employee was tasked with transporting devices carrying the healthcare information of 4.9 million subscribers to an off-site storage facility as part of the company’s routine backup procedure, and the employee’s car was subsequently burglarized.
While we’re sure neither one of the employees mentioned above had intended to have their home and vehicle burglarized, unfortunately, that is a risk we all face. It’s the unpredictability of others that we must keep in mind when transporting physical media. To read more about the importance of storing physical media that is awaiting destruction, read one of our previous blogs.
Using Outdated/Unauthorized Software
Rule of thumb: combat cybercriminal efforts by making sure your software is always up to date and is reputable. It is far too easy for cybercriminals to compromise sensitive data when your software is not up to date. Check with your business’s IT department to make sure you are not ignoring any updates or downloading unauthorized software. It’s also important to note that one should never disable their software’s security features, especially if it is on a work-issued computer or laptop. Your online shopping can wait until you are in the safety of your own protected network and home.
As we’ve stated in previous blogs, by introducing third party data sanitization vendors into your end-of-life destruction procedure, you significantly increase the chain of custody, and subsequently face a far higher risk of data breaches. There have even been reports of some vendors selling end-of-life devices and their sensitive information to online third parties!
We understand that while there are reputable data sanitization vendors out there, it can be far too easy for ITAD (IT asset disposition) vendors to misuse, mishandle, and misplace drives when in transportation, during destruction, and disposal. (Remember when financial institution Morgan Stanley announced that an ITAD vendor had misplaced computer equipment storing customers’ personally identifiable information?)
At SEM, we suggest getting rid of ITADs altogether if they are part of your end-of-life destruction procedure simply because of how unpredictable they can be, and the potentially catastrophic consequences should a breach occur.
A common denominator in the data breaches above is not only human error but the misuse during storing and transporting of drives containing sensitive information. We understand that destruction does not always happen immediately after the drives and data are deemed end-of-life. Businesses may not have the proper equipment in-house or budget to outsource destruction, but it is this reason why we at SEM stress that precautions and protocols should be in place to securely store and protect all data once it meets its end-of-life.
Following all these tips can help protect your most sensitive information. As always, it is important to remember that a data breach is a data breach, no matter the level of impact. At SEM we have an array of various high-quality NSA listed/CUI and unclassified degaussers, IT crushers, and enterprise IT shredders to meet any regulation when the time comes to destroy your end-of-life data. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your personal or regulated destruction needs.