The problem with data loss is you!

World Backup Day 2024 came and went, but the ever-increasing likelihood of data loss ominously remains. During the fourth quarter of 2023, data breaches exposed more than eight million records worldwide, according to Statista. Every organization should be in no doubt: it’s not a case of if, but when.

Amidst the fortress of technological advancements and security protocols, a glaring vulnerability persists, lurking within every corridor of every organization.

According to Verizon's 2024 Data Breach Investigations Report, a staggering 74% of breaches trace back to what they term the "Human Element." These breaches span a spectrum of human-induced errors, from crafty social engineering ploys to inadvertent missteps and misuse of privileged information.

IBM’s 2023 Cost of a Data Breach Report paints a grim picture, revealing an historic apex in data breach costs, skyrocketing to an average of USD 4.45 million in 2023. The fallout is multifaceted. As well as legal entanglements and hefty fines, data breaches exact irreparable damage on a company's reputation, eroding consumer trust and inviting regulatory scrutiny – a nightmare scenario for any enterprise.

Chances are, we've all fallen prey to one or more of the human errors that contribute to data loss: mistakenly deleting or misplacing files, sending an email to the wrong person, leaving computers unlocked while fetching a coffee, unwittingly divulging information to third-party inquiries – the list is endless. Staying vigilant and focused 100% of the time is a difficult task. After all, we're only human.

However, the consequences remain dire. In this article, we delve into the top five human errors in data management that pave the way for data loss – and what organizations can do to protect themselves.

1. Ignoring software updates and security patches

The allure of convenience often lulls individuals into complacency, fostering a laissez-faire attitude towards software upkeep. Whether due to forgetfulness or a misguided sense of invulnerability, neglecting updates can have severe repercussions. Failing to install patches provides malicious actors with an open invitation to exploit vulnerabilities. Without robust backups, recovering lost data becomes an uphill battle.

By adopting a proactive stance on software maintenance and staying abreast of security advisories, organizations can bolster their defenses and inoculate themselves against potential threats.

2. Poorly managed high-privileged accounts

Only 38% of organizations update admin passwords quarterly; the remainder do so annually or even less frequently, according to The Netwrix 2018 IT Risks Report. However, accounts with high privileges wield significant power, and the laxity surrounding them transforms them into prime targets for attackers. Malicious actors can leverage compromised admin credentials to circumvent access controls on various resources or IT systems and gain entry to a company’s sensitive data.

Implementing the least-privilege principle across all accounts and systems where possible is a crucial preventative measure. It can help to minimize accidental deletions and stop ransomware attacks from spreading across a network. Temporary privileges granted should be monitored in real-time to ensure any suspicious activity is dealt with immediately. Additional layers of protection include establishing separate administrative and employee accounts, upgrading email security with encryption and sensitive data detection, and implementing two-factor authentication.

3. Inadequate password practices

In its Psychology of Passwords Report, LastPass found that 59% of people use the same password for every account, amplifying the risk of credential compromise. Some users still rely on easily guessable passwords, such as “password” or “123456”. Even robust passwords aren't impervious to compromise – especially if they are shared with co-workers or stored in unsecured documents or devices.

IT professionals are not immune to human error either; in its 2022 Password Decisions Survey, Bitwarden found that 53% use email to share passwords with colleagues, and 42% of organisations rely on sticky notes for password management, according to The 2020 State of Password and Authentication Security Behaviours Report by The Ponemon Institute. Even more alarming: in its Workplace Password Malpractice Report 2021, Keeper Security discovered that 44% of employees say they use the same login credentials across both personal and work-related accounts.

As well as regularly rotating passwords and using a password manager, employees should be equipped with training to ensure they understand the consequences of poor password security. Organizations should also incorporate security reminders during login processes.

4. Allowing unauthorized access to company-issued devices

The blurring of boundaries between personal and professional spheres introduces a host of security vulnerabilities. Statista found that up to 20% of UK employees allowed friends and family members to access their company-issued devices in 2021. While allowing someone to quickly check their email may seem innocent, actions like these open the floodgates to potential malware incursions, jeopardizing sensitive data in the process. While the likelihood of friends and family intentionally snooping for sensitive data is low, they may easily inadvertently download malware that could provide access to corporate data, cloud applications and storage.

Businesses must establish clear policies regarding device usage. Kingston Technology’s encrypted USB drives and SSDs, for example, are a great solution for remote or travelling employees who require access to sensitive company data. All devices should also be equipped with necessary security controls, including screen locks, two-factor authentication, application blacklisting, and remote wiping solutions.

5. Succumbing to phishing or social engineering attacks

Phishing and social engineering attacks are rampant, with studies indicating that 98% of cyberattacks exploit these tactics. Hackers trick users into divulging sensitive information or downloading malware through deceptive emails, often masquerading as legitimate sources, tricking users into clicking malicious links or opening infected attachments. A notification to reset a password or view a file shared by a co-worker, for example. When these attacks are used to deploy ransomware or other types of malware, they can cause permanent data loss. Despite increasing awareness of these threats, many people still fall victim due to lack of caution and cybersecurity training.

It's crucial to provide regular, ongoing education to employees. No amount of training or preparation can prevent all accidental data loss, but developing and regularly testing a comprehensive business continuity plan can greatly mitigate the risk.

Final words

In the digital age, data loss isn't just a technological problem, it's deeply human. Mistakes are inevitable, and data loss due to human error is an unfortunate reality that every business must prepare for.

With ransomware attacks rising, regular backups are the most effective way to prevent permanent data loss from human error, along with employee training and stricter access controls. Hardware-encrypted solutions offer more robust and comprehensive data protection than software-based options for true “password protection” of essential files. Recognizing the role of human behavior in vulnerabilities and taking proactive, people-focused security steps can give organizations a fighting chance when – not if – the time comes.

We've featured the best business VPN.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro