How to Prevent Mistake-Based Data Breaches

Posted by Mark Greisiger

A Q&A with Spencer Snedecor, CEO of Palisade Systems
It’s a misconception that most data breach events and losses can be attributed to hackers—in fact, the large majority are caused by human error. Data Loss Prevention (DLP) solutions can help organizations reduce this type of risk exposure. I spoke to Spencer Snedecor, CEO of Palisade Systems, to find out more about DLP solutions.

What type of data leak mistakes do you see most often?
What we see most of all are people sending information out into the world as part of their daily business process—that includes sensitive personal healthcare data or personal identity information or credit card numbers. This is a case of “forgive me father: they know not what they do.” These are employees who are innocently going about their work as they do every day. All of us know now not to leave our mail in the post box or give our social security numbers to strangers but it’s amazing how people forget all of that sense of caution when they’re on a keyboard. They click send and end up emailing out a customer list. Really, the number one problem is ignorance.

What can an organization do if they would like to reduce the chances of personal information being mistakenly leaked, sent or even accessed by unauthorized staff?
Most organizations don’t know what they don’t know. First and foremost, the organization needs a common sense policy that talks at a high level about users and the sensible use of data, and the policy needs to be in line with current regulations. It goes unsaid but it’s usually not reinforced in offices: Not everyone in the organization should have access to the customer database. So it’s important not just to communicate that policy but to set up an expectation that you will enforce it. That’s where a DLP vendor like us can come in and help you monitor what’s going on, including internet access and traffic activity. We can alert you when social security numbers are flying around. In addition to offering people the ability to monitor internet usage, we can also help control access to certain websites that might reduce productivity or pose a security risk. Maybe you don’t want employees to be able to copy files to a flash drive or a DVD. We can monitor that, too. The software can also compile reports based on customer usage and provides “actionable intelligence” so you can continue to stay in front of mistake-based breaches.

In conclusion …
NetDiligence has seen many cases over the past decade in which the client sustained a privacy/data breach incident  due to an innocent mistake by some insider—for instance, a marketing person or service provider that accidentally sent out a mass email with thousands of clients’ PII in the body text. Mitigating this inevitable exposure is important. That is where a DLP solution can be a valuable loss control tool and part of your layered safeguard approach.