West Suffolk NHS Foundation Trust selects Zivver to empower staff and patients to share sensitive information securely and prevent data leaks
The GDPR and the UK Data Protection Act (DPA) require that companies and institutions report data leaks promptly and thoroughly, or face severe consequences. Meanwhile reports from the UK's Information Commissioner’s Office (ICO), have shown that 60% of reported data leaks were the result of human error.
Recently we spoke with Jaap Nieuwmeijer, coordinator information security at Partners voor Jeugd (a Dutch institutions), on the increased focus on data leaks. The time wherein a public prosecutor got away with just a simple warning about leaving a computer with sensitive information in the garbage bin, is long gone. According to Jaap, the reason for this, is that our awareness concerning the consequences of data leaks has grown.
Additionally lawmakers wants to increase this awareness, and protect the European citizen using the General Data Protection Regulation (GDPR). If your company cannot verify that sufficient measures have been taken to prevent a data leak, not only a will your reputation be damaged, but will also receive a warning and/or a high fine.
What causes the most data leaks?
Let’s first determine what a data leak actually is. A data leak originates when sensitive personal information ends up in the wrong hands. When thinking about data leaks, most people think about hackers that loot some badly protected database. However, in actual practice most of the time human errors are the reason for a data leak. Mistakes and sloppiness occur due to a high workload, and a data leak is hardly ever on purpose. Based on a risk analysis, Jaap Nieuwmeijer has identified the three most common causes for the leaking of sensitive personal information.
1- Sending an email to the wrong person
Everybody has done this at some point in their life. You want to send an email to Jimmy. You open Outlook, type in Jim and the email program adds the name. But when you press Send you suddenly realise that you have sent the email to the wrong Jimmy. If this message contained personal information, it is a data leak. The annoying thing about email is that you cannot really recall a message once it has been sent. At the same time, you are lawfully obliged to confine the implications of a leak. There is nothing else to do than to call the receiver and ask him to erase your message. Your reputation fully rests in their hand and that is not where you want it to be.
2- Misdirecting an envelope (sending to the wrong person)
We are living in the digital era. However, we still send a lot of documents by snail mail. As a security consideration we sometimes even sent digital files by ordinary postal mail. In most cases this goes smoothly. Sometimes however, somebody puts an incorrect label on an envelope or puts a document in the wrong envelope. In both cases we are speaking of a data leak. You only notice this type of data leak when the receiver gives you a call; again your fate and reputation fully rests in their hands.
3- Losing your mobile phone
A third common leak occurs when someone loses their mobile phone. A phone can be easily misplaced and they often contain tons of sensitive information, think about personal addresses, emails and other confidential documents. Nowadays most phones are protected with a password, but unfortunately this protection is insufficient. Sometimes you can erase the data from your phone remotely but this does not give you 100% certainty and is only possible when the phone has a network connection. Fortunately most new phones have some type of encryption that automatically encrypts your saved data.
How can I prevent these types of data leaks?
As you can see: accidents happen. The results however can be quite substantial. As already stated before, now that the GDPR has come into force, a leak results not only in (significant) loss of reputation, but also in a high fine. That’s why you as a CISO have to do everything in your power to prevent this. On the one side this means creating a sense of awareness amongst your fellow employees. In most cases your laptop will automatically encrypt all saved data, but if your laptop bag contains a notepad with personal information, a leak can still occur. The exchange of files through public services can also be a potential risk.
On the other hand, it can be wise to install software that operates in the background and assists your colleagues in making the right choice. Keep in mind that this will only contribute to a safer working environment if the software does not impede the user in doing his job. If employees have to perform extra measures, like manually encrypt their files, they will experience this security as a burden. This will result in your colleagues evading these measures and looking for other alternatives.
We communicate using different devices through several channels. Solid security software therefore has to protect different channels of communication, like email and chat, on both desktop and mobile devices. Moreover, an extra form of authentication is needed in order to ensure that only the
intended recipient is able to see and/or read your message. If your software also gives you the possibility to remotely withdraw email messages, you comply with the GDPR, which obliges you to take action to prevent data leaks and to reduce any consequences of a leak.
Free GDPR Checklist
We have described all the necessary steps you have to take in order to meet GDPR compliance requirements with our helpful checklist. This checklist provides information on creating a processor agreement, getting permission for processing personal information and other security measures to be taken. Plus, we've also included the 10 key questions every data protection officer or IT security professional should be asking themselves.
Zivver can help your organization prevent accidental data leaks and comply with data protection regulations such as the GDPR, DPA and CCPA. The service integrates directly with the most popular email clients and can be up and running quickly with minimal training required.