BoE email leak: how to solve a problem like human error
Alexander Pope said, "To err is human; to forgive, divine." Could he have been thinking of the infamous Bank of England email leak when he said that, asks Rainer Gawlick.
Rainer Gawlick - Intralinks
A Bank of England employee may be hoping that his superiors are disciples of Alexander Pope. That's because it has emerged that the employee in question accidentally shared details of the bank's highly confidential examination of the financial risks of the UK leaving the EU – codenamed “Project Bookend.”
The email from Sir Jon Cunliffe's private secretary was intended for four senior executives but was inadvertently also sent to a journalist at The Guardian. Not only did the email contain details of the highly confidential plan, but it also listed internal instructions explaining how to deny the existence of the project.
Most data breach headlines originate from hacking attacks, whereas most incidents of data loss are actually a result of human error. Most of these go unreported or when they do surface get under-reported, possibly because they conjure up an image of a fat-fingered office worker rather than a nefarious hacker in a gloomy basement. But as the Bank of England case shows, the consequences of human error can be every bit as serious as data breaches caused by external attacks.
And whereas companies spend millions defending against attacks from malicious outsiders, the very significant risk posed by clumsy or unthinking employees is too often ignored. It's an uncomfortable thought, but employees routinely breach policy and behave badly when it comes to data sharing and collaboration. For example, Ponemon Institute research shows that almost one-third of respondents (32 percent) say more than half of employees in their organisation regularly share files outside the company/beyond the firewall. Worryingly, safeguards designed to protect against this behaviour are often inadequate.
The same Ponemon research demonstrates the scale of the problem posed by human error. Sixty-one percent of respondents admitted to often or frequently sending unencrypted emails, failing to follow policy on document deletion, using personal file sharing and storage apps for enterprise assets and accidentally forwarding files to individuals not authorised to receive them.
Risky file sharing practices ranked highly in the research, and the root causes of this behaviour were also identified, with negligence and deliberately ignoring policies both scoring highly as causal factors. Educating employees on risk is one answer, but even that only goes so far because it doesn't solve the problem of genuine errors. Humans are fallible; we make mistakes. So while education is a positive step, the real question is what else can be done to eradicate these types of leaks?
The answer is to combine user-focused strategies such as specific data protection training with technological solutions. Some advanced collaboration and document sharing solutions now offer an “unshare” feature, which revokes access to shared files regardless of where they have come to rest, or how many times the document has been copied or shared. This feature acts as a failsafe mechanism to enable safe collaboration and secure sharing, offering complete peace of mind in knowing that, if the document needs to be retracted for any reason, every instance of it can be destroyed in a click.
Eliminating human error completely is an unrealistic goal. Yet in a world where organisations need the freedom to share critical documents and data online, it's reassuring to know that there are controls to guard against inevitable user error and give organisations total control of their assets at all times, wherever that data resides.
This latest leak should encourage organisations to tighten up such technological controls in the ongoing battle against human error. Sharing highly sensitive financial documents with a national newspaper is never a good day in the office, but even with the exposure generated by this story we can be sure that it won't be long until the next breach hits the headlines.
Contributed by Rainer Gawlick, EVP, Intralinks