Securing Information
Strengthening Business

The Human Factor – minimising the risk to your information from human error

Lost laptops or disks, saying the wrong thing loudly on the phone on the train, leaving a folder of sensitive customer details in the pub – all can have a serious impact. People make mistakes. This article gives advice on what you can do to minimise the risk of human error.

Social Engineering is on the rise

“People are the weakest link at any level of security,” says hacker quoted in BBC article

People are often the weakest link to securing information within an organisation. Social engineering, where users are duped into giving away their passwords or other sensitive information has always been the easiest way to get information.

A report by Computer Weekly (September 2011) found that less than a third of UK businesses provide regular training aimed at preventing social engineering attacks, despite 42% being hit this way in the past two years, at an average cost of £15,000 per incident.

Often, security incidents arise because of a failure to comprehend the risk. Awareness and personal responsibility in protecting the organisation against information incidents is key. This awareness needs to permeate the entire organisation so everyone understands their relationship to information risk and their responsibilities.

Security awareness programmes and training should be an ongoing function – from induction to regular training and updates.

The following story illustrates how a simple lack of awareness of security risks by a children’s hospital resulted in a full scale data security breach, in addition to the payment of damages and jail for one unsuspecting man.

The story of the jealous boyfriend

An Ohio man sent an email to his girlfriend that contained spyware because he thought she might be cheating on him. The girlfriend opened the email on her work computer and the spyware installed on her work system rather than her home system. As a result her boyfriend began to receive copies of her emails, which included sensitive medical information. This constituted a data security breach on the part of the Children’s Hospital where his girlfriend worked.

Whilst the man was caught and jailed for up to 5 years in prison and was forced to pay $33,000 in damages to the hospital, the hospital could have done much more to eliminate this risk.

Lessons to be learned:

    • Allowing access to home email from work IT systems increased the risks and additional protection was required.
    • Anti-virus/anti-spyware software might have prevented or identified the spyware and alerted the systems administrators.
    • ‘System hardening’ could have helped.
    • The breach was likely caused by poor policies and procedures within the hospital and a lack of training for the staff. Make sure all staff are aware of what constitutes sensitive information and that such information has adequate levels of protection.
    • Never send sensitive information across the internet or by email unencrypted.
    • Don’t spy on your girlfriend!

Article by Dave James , MD of Ascentor

Related articles

For Further Information

If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.

Please use the contact details below - also found on our Contact Us page.


Fields marked with an * are required
Share this:

You may also be interested in:

Cyber Essentials Evendine

Cyber Essentials has been with us for some time now: launching way back on the 5th of June 2014. The scheme is aimed at promoting basic cyber hygiene

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How would you recover if something went drastically wrong with some, or all of your business operations? When we think of worst case scenarios,

Ascentor’s cyber security review of 2020

2020 wasn’t the first year where a virus emerged causing large scale disruption and opportunities for cybercrime. It was, however, the first time