The Human Factor in Data Security

While high-profile targeted cyberattacks received great attention in 2013, data breaches due to human error continue to be a regular occurrence. Sending a client's financial records to the wrong fax number, transmitting medical records to the incorrect e-mail address, uploading unencrypted confidential customer data to a file-sharing website by mistake, an unencrypted USB thumb drive containing confidential records is left plugged into a hotel business center computer, client files are downloaded to an unsecure public computer and not erased ' the list can go on and on. People make mistakes when storing, sending or using confidential data.

The good news, such as it is, is that today, more attention is focused on combatting cyber threats than ever before. The federal government has recently issued a cybersecurity framework that public and private organizations can use to measure and improve their own cybersecurity programs. Many companies have added a new C-suite level position ' the CISO (Chief Informational Security Officer) ' to be accountable for corporate cybersecurity. Funding for data protection and cybersecurity is unprecedented levels. Status reports on cybersecurity are more frequently provided at corporate board meetings and in shareholder updates. When breaches occur, companies are now obliged to disclose that fact to law enforcement, customers and government regulators.

In a 2013 survey conducted by Silicon Valley Bank of more than 200 mid-size technology and health care companies, 98% said they are maintaining or increasing their cybersecurity resources and of those, half are increasing resources devoted to online attacks this year. See, “Cybersecurity Survey: Impact on Innovation,” Silicon Valley Bank (Sept. 2013). Yet in that same study, only one-third reported that they are completely confident in the security of their information and even less confident about the security measures of their business partners.

Allocating more technological and human resources towards data and computer security is certainly a necessary step, but technology alone will not solve the problem.

The Weakest Link in Data Security

“We have met the enemy and he is us.” ' Pogo

Completely passive data protection and cybersecurity systems (i.e., ones that do not require or allow any human input or interaction) do not yet exist, and may not be desirable in any event. Consequently, data security continues to be impacted by human factors, the interaction between man and machine.

Convenience and security have been competing values since our ancestors were first deciding how to keep their possessions reasonably secure but still readily accessible. There is a trade-off between the two. Tools that make life more convenient also tend to make it less secure. (See, “Don't Be the Low-Hanging Fruit,” PC World. Technologies that make it more secure are also generally inconvenient.

Remote access to data using mobile technology or portable storage devices is considered by some to be essential for increased productivity and a better work-life balance. Yet these devices create an array of potential security vulnerabilities. Smart phones, tablets and laptops are prone to being stolen or lost. USB storage devices are similarly susceptible, such as being inadvertently left behind, plugged in to public computers. If unencrypted data is contained on a lost or stolen device, then, voila! , you have a data breach ' and given how much data can be carried on these devices, it could be a massive one.

Human input is often the weakest link in any security chain, be it cybersecurity or building security (think of an otherwise locked back door propped open to allow easier access). Our ability to make bad choices or to ignore security protocols has been the Achilles' heel of many security programs. Cybersecurity is certainly not the first one.

In a 2012 study by the Ponemon Institute, 78% of respondents revealed that their organizations had experienced a data breach as a result of negligent or malicious employees or other insiders. A “Top 10″ list of risky data security practices were identified, and included the following:

1. Connecting computers to the internet through an insecure wireless network.
2. Not deleting information on their computer when no longer necessary.
3. Sharing passwords with others.
4. Reusing the same password and username on different websites.
5. Using generic USB drives not encrypted or safeguarded by other means.
6. Leaving computers unattended when outside the workplace.
7. Losing a USB drive possibly containing confidential data and not immediately notifying their organization.
8. Working on a laptop when traveling and not using a privacy screen.
9. Carrying unnecessary sensitive information on a laptop when traveling.
10. Using personally owned mobile devices that connect to their organization's network.

“The Human Factor in Data Protection,” Ponemon Institute '(Jan. 2012).

In that same report, employees were found to be reluctant to self-report a data breach ' only 19% of the time was the breach self-reported, making it difficult to immediately resolve the breach.

Another recent study of U.S. IT professionals noted that the worst offenders in high risk electronic behavior are often senior managers, particularly in companies that lack a pervasive culture of data security that emanates from the top of the organization. Because upper management generally has more access to valuable information than lower-ranking employees, the consequences of data security misbehavior can be more severe for the company. Risky activities included frequently uploading work files to their personal e-mail and cloud accounts or accidentally sending sensitive information to the wrong person. Personal technology preferences contributed to many of the transgressions, but time pressure, lack of patience for security measures that add time, and having to deal with subpar internet access while on the road also played a role. See, “On the Pulse: Information Security Risk in American Business,” Stolz Friedburg (2013).

Technology can provide significant data security, but at the end of the day, most, if not all data security systems rely on some form of human buy-in and cooperation. Data security systems that are particularly inconvenient, not easily understood and implemented without sufficient explanation or training will probably fall short of their goals.

Let's start with passwords. Some systems require long passwords which are changed monthly, and include both upper and lower case letters, along with numbers, and other characters, on the theory that passwords that are complex and frequently changed will be less likely to be compromised. Yet, just the opposite may be the true. Experience has shown that when people are obliged to use complex passwords that are often changed (and thus more difficult remember), many will write them down and tape them to their monitor in order to remember them. How secure is that?

Similarly, security processes not properly explained to employees may be perceived as unimportant, and thus compliance may not seem essential. For example, to increase productivity or to allow more flexibility in work/life issues ( i.e. , convenience), many companies allow employees to take work files “off-campus” and work on them at home. Employees who are permitted to take home company files on a laptop or portable USB device may not appreciate the data security issues associated with doing so. Or the consequences of sending company files to their personal e-mail account so they can then work on them on their PCs at home.

Technology + Basic Training = Better Data Security

Increasing employee participation in data security practices is not necessarily a hard sell, and it need not be as draconian as overtly conditioning continued employment on it.

First, make it personal. Help the workforce see that they will personally benefit from learning data security safeguards, because many of them can also be applied to protecting their personal and family information. Understanding proper password protocols, recognizing potential phishing e-mails, protecting against theft or loss of mobile devices or USB storage devices, using safe Wi-Fi hygiene in public locations, etc., are skills that will protect personal information as well as business data. Consequently, the time spent to learn and apply those security practices for work also benefits the employee.

Next, data security is more likely to be observed when it is viewed as an important part of the company culture. Employees who see security measures practiced at the highest levels of the organization are more likely to embrace those measures as a necessary part of their job as well.

Security measures should be constantly assessed for their effectiveness. If parts of the data security process are especially time-consuming or difficult to complete, consider whether they can be accomplished in a simpler manner, or if additional fail-safe measures are required. Why? There is a good chance that employees are already looking to shortcut or completely avoid steps they perceive as being an unnecessary waste of time or burden. Again, think of the locked back door that gets propped open because it saves time.

Finally, don't forget about outside consultant and vendors who may have some form of access to company networks and data. If those individuals and organizations do not understand and follow the company's data security systems and protocols, then they will be the weak link in the chain and could become the portal for a crippling cyberattack. Identifying and repairing security vulnerabilities after an attack is akin to closing the barn door after the horses have already left ' too little, too late.

Conclusion

Despite the increased attention to data security in the last few years, and the advances in technologies used to identify and respond to cyberattacks, data breaches and computer hacking still occur. Technology alone will not prevent further breaches or attacks due to human factors and the trade-off between security and convenience. Assuring that employees understand, appreciate and will cooperate with security protocols is a necessary feature for any effective data security system.

Patrick X. Fowler, Esq. is a Partner with Snell & Wilmer LLP in the Phoenix, AZ, office. He helps companies dealing with technology issues related to Internet/e-commerce claims, intellectual property disputes, data privacy and security concerns and e-discovery issues. He can be reached at 602-382-6213 or [email protected].

'

SPECIAL OFFER: Twitter, LinkedIn, Facebook and Google+ followers can get an online subscription to e-Commerce Law & Strategy for only $299. Click here, select Digital Only and use promo code ECOMOL299 at checkout. This offer is valid for new subscribers only.

'

“To err is human, but to really foul things up, you need a computer.” ' Anonymous

Data security is on nearly everyone's mind these days. And with good reason. Hardly a week goes by without a headline, text alert, tweet or blog post about another data breach, a new-found security vulnerability, or the rising costs of cyberattacks.

Computer hacking has become a world-wide industry, transcending national borders. Potential prey for these cyber-criminals include any computer (or, perhaps more accurately, any “thing”) connected to the Internet or anyone whose personal information is stored, processed or transmitted via computers or other digital devices. Advanced persistent threats are a part of our digital lives.

While high-profile targeted cyberattacks received great attention in 2013, data breaches due to human error continue to be a regular occurrence. Sending a client's financial records to the wrong fax number, transmitting medical records to the incorrect e-mail address, uploading unencrypted confidential customer data to a file-sharing website by mistake, an unencrypted USB thumb drive containing confidential records is left plugged into a hotel business center computer, client files are downloaded to an unsecure public computer and not erased ' the list can go on and on. People make mistakes when storing, sending or using confidential data.

The good news, such as it is, is that today, more attention is focused on combatting cyber threats than ever before. The federal government has recently issued a cybersecurity framework that public and private organizations can use to measure and improve their own cybersecurity programs. Many companies have added a new C-suite level position ' the CISO (Chief Informational Security Officer) ' to be accountable for corporate cybersecurity. Funding for data protection and cybersecurity is unprecedented levels. Status reports on cybersecurity are more frequently provided at corporate board meetings and in shareholder updates. When breaches occur, companies are now obliged to disclose that fact to law enforcement, customers and government regulators.

In a 2013 survey conducted by Silicon Valley Bank of more than 200 mid-size technology and health care companies, 98% said they are maintaining or increasing their cybersecurity resources and of those, half are increasing resources devoted to online attacks this year. See, “Cybersecurity Survey: Impact on Innovation,” Silicon Valley Bank (Sept. 2013). Yet in that same study, only one-third reported that they are completely confident in the security of their information and even less confident about the security measures of their business partners.

Allocating more technological and human resources towards data and computer security is certainly a necessary step, but technology alone will not solve the problem.

The Weakest Link in Data Security

“We have met the enemy and he is us.” ' Pogo

Completely passive data protection and cybersecurity systems (i.e., ones that do not require or allow any human input or interaction) do not yet exist, and may not be desirable in any event. Consequently, data security continues to be impacted by human factors, the interaction between man and machine.

Convenience and security have been competing values since our ancestors were first deciding how to keep their possessions reasonably secure but still readily accessible. There is a trade-off between the two. Tools that make life more convenient also tend to make it less secure. (See, “Don't Be the Low-Hanging Fruit,” PC World. Technologies that make it more secure are also generally inconvenient.

Remote access to data using mobile technology or portable storage devices is considered by some to be essential for increased productivity and a better work-life balance. Yet these devices create an array of potential security vulnerabilities. Smart phones, tablets and laptops are prone to being stolen or lost. USB storage devices are similarly susceptible, such as being inadvertently left behind, plugged in to public computers. If unencrypted data is contained on a lost or stolen device, then, voila! , you have a data breach ' and given how much data can be carried on these devices, it could be a massive one.

Human input is often the weakest link in any security chain, be it cybersecurity or building security (think of an otherwise locked back door propped open to allow easier access). Our ability to make bad choices or to ignore security protocols has been the Achilles' heel of many security programs. Cybersecurity is certainly not the first one.

In a 2012 study by the Ponemon Institute, 78% of respondents revealed that their organizations had experienced a data breach as a result of negligent or malicious employees or other insiders. A “Top 10″ list of risky data security practices were identified, and included the following:

1. Connecting computers to the internet through an insecure wireless network.
2. Not deleting information on their computer when no longer necessary.
3. Sharing passwords with others.
4. Reusing the same password and username on different websites.
5. Using generic USB drives not encrypted or safeguarded by other means.
6. Leaving computers unattended when outside the workplace.
7. Losing a USB drive possibly containing confidential data and not immediately notifying their organization.
8. Working on a laptop when traveling and not using a privacy screen.
9. Carrying unnecessary sensitive information on a laptop when traveling.
10. Using personally owned mobile devices that connect to their organization's network.

“The Human Factor in Data Protection,” Ponemon Institute '(Jan. 2012).

In that same report, employees were found to be reluctant to self-report a data breach ' only 19% of the time was the breach self-reported, making it difficult to immediately resolve the breach.

Another recent study of U.S. IT professionals noted that the worst offenders in high risk electronic behavior are often senior managers, particularly in companies that lack a pervasive culture of data security that emanates from the top of the organization. Because upper management generally has more access to valuable information than lower-ranking employees, the consequences of data security misbehavior can be more severe for the company. Risky activities included frequently uploading work files to their personal e-mail and cloud accounts or accidentally sending sensitive information to the wrong person. Personal technology preferences contributed to many of the transgressions, but time pressure, lack of patience for security measures that add time, and having to deal with subpar internet access while on the road also played a role. See, “On the Pulse: Information Security Risk in American Business,” Stolz Friedburg (2013).

Technology can provide significant data security, but at the end of the day, most, if not all data security systems rely on some form of human buy-in and cooperation. Data security systems that are particularly inconvenient, not easily understood and implemented without sufficient explanation or training will probably fall short of their goals.

Let's start with passwords. Some systems require long passwords which are changed monthly, and include both upper and lower case letters, along with numbers, and other characters, on the theory that passwords that are complex and frequently changed will be less likely to be compromised. Yet, just the opposite may be the true. Experience has shown that when people are obliged to use complex passwords that are often changed (and thus more difficult remember), many will write them down and tape them to their monitor in order to remember them. How secure is that?

Similarly, security processes not properly explained to employees may be perceived as unimportant, and thus compliance may not seem essential. For example, to increase productivity or to allow more flexibility in work/life issues ( i.e. , convenience), many companies allow employees to take work files “off-campus” and work on them at home. Employees who are permitted to take home company files on a laptop or portable USB device may not appreciate the data security issues associated with doing so. Or the consequences of sending company files to their personal e-mail account so they can then work on them on their PCs at home.

Technology + Basic Training = Better Data Security

Increasing employee participation in data security practices is not necessarily a hard sell, and it need not be as draconian as overtly conditioning continued employment on it.

First, make it personal. Help the workforce see that they will personally benefit from learning data security safeguards, because many of them can also be applied to protecting their personal and family information. Understanding proper password protocols, recognizing potential phishing e-mails, protecting against theft or loss of mobile devices or USB storage devices, using safe Wi-Fi hygiene in public locations, etc., are skills that will protect personal information as well as business data. Consequently, the time spent to learn and apply those security practices for work also benefits the employee.

Next, data security is more likely to be observed when it is viewed as an important part of the company culture. Employees who see security measures practiced at the highest levels of the organization are more likely to embrace those measures as a necessary part of their job as well.

Security measures should be constantly assessed for their effectiveness. If parts of the data security process are especially time-consuming or difficult to complete, consider whether they can be accomplished in a simpler manner, or if additional fail-safe measures are required. Why? There is a good chance that employees are already looking to shortcut or completely avoid steps they perceive as being an unnecessary waste of time or burden. Again, think of the locked back door that gets propped open because it saves time.

Finally, don't forget about outside consultant and vendors who may have some form of access to company networks and data. If those individuals and organizations do not understand and follow the company's data security systems and protocols, then they will be the weak link in the chain and could become the portal for a crippling cyberattack. Identifying and repairing security vulnerabilities after an attack is akin to closing the barn door after the horses have already left ' too little, too late.

Conclusion

Despite the increased attention to data security in the last few years, and the advances in technologies used to identify and respond to cyberattacks, data breaches and computer hacking still occur. Technology alone will not prevent further breaches or attacks due to human factors and the trade-off between security and convenience. Assuring that employees understand, appreciate and will cooperate with security protocols is a necessary feature for any effective data security system.

Patrick X. Fowler, Esq. is a Partner with Snell & Wilmer LLP in the Phoenix, AZ, office. He helps companies dealing with technology issues related to Internet/e-commerce claims, intellectual property disputes, data privacy and security concerns and e-discovery issues. He can be reached at 602-382-6213 or [email protected].

'