Digital transformation in the UK public sector has accelerated. Essential measures implemented to control COVID-19 have disrupted analogue processes, such as sending a letter or fax. There’s no point sending a letter if there is no one in the office to open it. Digital processes have become the default as government employees work from home, and citizens need to access public services and support remotely to stay safe.
As this transition continues, it’s inevitable that the expanding digital footprint of public services will increase the amount of digital personal data residing in public sector systems and handled by government employees. What also seems inevitable, but shouldn’t be, is the high risk of human-activated data leakage due to digitalisation.
Figures published by the ICO showed that central and local government organisations accounted for 12% of all reported personal data breaches in the second half of 2019. 92% of these were classed as “non-cyber incidents” attributed to human error or theft. Of these incidents, 23% were directly caused by mis-sent emails, failure to redact sensitive content or failure to use BCC.
Mitigating the risk of employee mistakes – and identifying those who deliberately leak data – must be an essential element of any organisation’s data security strategy. However, as recent Egress research shows, there is a broad range of reasons and scenarios in which employees leak data; identifying and understanding these will help frame how data security teams in the public sector need to respond.
The one in ten… ill-equipped, self-interested or under pressure
Egress surveyed 1,000 government sector employees to discover what situations lead to intentional and accidental insider data breaches. One in ten said they or a colleague had intentionally broken company policy in the past year. When asked why one-third said that they took a risk because they hadn’t been provided with tools to share data safely. While it is hard to criticise those who are just trying to get the job done, this keen but risk-taking profile is an unfortunately common cause of breaches.
Less virtuous are the 27% who said they took data with them when they moved jobs. Our research has shown that workers have a very proprietorial attitude to the data and information they work on, frequently assuming that creation confers ownership. Just over one-third (34%) of government employees said they don’t think the organisation has exclusive ownership of data. It explains their predisposition to walking out of the door with it when a new career opportunity beckons.
For public sector employees who admitted to causing an accidental data breach, phishing was one of the biggest issues. 28% admitted clicking on a link in a phishing email and 8% responding to a spear-phishing email. However, more than one-third accidentally sent information to the wrong person. This seems to be a common problem in government organisations. Overall, 41% said they had received an Outlook recall message or an email telling them to disregard a communication sent in error.
When asked why these mistakes had occurred, human factors are high on the list. One-fifth attributed their error to working in a pressured environment, 15% were tired, and 19% were rushing. 14% said an incident happened because they were using a mobile device. It’s a risk that will inevitably increase as home and mobile working continues in the current climate.
Tackling insider breach risk – too high a risk appetite?
The 113 government IT leaders we surveyed seem somewhat resigned to insider breaches. 78% thought employees had put data at risk maliciously and 86% thought they’d done so accidentally in the past year. Looking forward, a quarter of them felt it was likely they would suffer a breach in the coming year.
Despite this, fewer than half of IT leaders said they were using technologies such as email encryption, anti-virus and secure collaboration software to help prevent insider breach risk. There seems to be a sense that human-activated breaches are inevitable within the public sector. It means risk appetite is set at a level that accepts a 25% breach risk – but will likely prove a lot higher given evidence to date.
Addressing human layer security – bridging the current risk gap
So, the question is, how can we close that risk gap and better protect citizens’ data? It’s simply not possible for government IT leaders to “fix” most of the root causes of breaches. People will always get tired, stressed and rushed, given the pace at which organisations must operate. Even in “perfect” conditions, they’ll still make mistakes. Sadly, the gift of more time and resources is beyond the capability of security teams to deliver.
Similarly, IT leaders cannot be the moral guardians against worker dishonesty. These are all human, not technological, failings. That is why we believe that a specifically human layer security programme is the only effective answer to mitigating insider breach risk.
Human layer security identifies the risk points in employees working processes and ensures that there is a safety net to support them when they are vulnerable to tiredness, rushing and stress, preventing them from making mistakes. It also acts to put a brake on employees who might be more reckless or dishonest with sensitive government data, protecting it against malicious leaks.
AI and machine learning are key to human layer security
AI and contextual machine learning can identify what typical user email behaviour looks like. Human layer security learns the normal sharing patterns, contacts and data types that flow between users and organisations. Once this benchmark is established, users are alerted when they deviate from their typical behaviour. It might be they have been rushing and included an external recipient address into a usually internal email group, due to an incorrect suggestion by autocomplete.
It also identifies when users are emailing a new contact or domain for the first time. This is particularly valuable in the case of phishing and spear-phishing emails where the deception depends on users failing to spot tiny address changes. Alerts allow users to correct the error before a breach occurs. It helps build a culture of tighter security without adding cumbersome extra processes to an already busy employee’s workflow.
To protect the data itself, the key is knowing what data is about to leave the organisation. An intelligent solution can scan email and attachment content. It identifies data such as personally identifiable information (PII) or bank account details. It can alert users that they are about to send information to an unauthorised recipient or without the correct degree of encryption. If the user persists, the risky email can be blocked from being sent, and administrators alerted to a potentially intentional attempt to breach data so that they can respond accordingly.
The key to human layer security is that it works with the users to support them when human factors intervene to introduce risk. It is the missing piece of the email data protection puzzle that means insider breach risk must no longer be accepted as an inevitable price of day-to-day operations.
Egress Software Technologies is the leading provider of privacy and risk management services enabling organisations to meet and maintain stringent compliance requirements, mitigate the risk of a data breach, and confidently undertake digital transformation and business efficiency initiatives.
Offering Public Sector and Enterprise customers an all-encompassing user-centric platform approach to data security enables organisations to comprehensively manage risk by empowering users to secure data quickly and easily.
These award-winning integrated services include data discovery and classification, software to prevent emails being sent to the wrong person, email and file encryption, secure online collaboration, and audit and compliance reporting.
Certified by government, the Egress platform offers a seamless user experience, powerful real-time auditing and patented information rights management, all accessible using a single global identity.