The Human Element in the Data Breach

Posted on by Christopher Burgess

We are all familiar with the adage, "to err is human; to really foul things up requires a computer," which implies that the computer may be to blame for many data breach calamities. Alas, it appears the erring human is also culpable. Take, for example, the recent kerfuffle surrounding Apple's iCloud and the compromise of celebrity accounts containing salacious photos. After much slinging of innuendo and blame, it turned out the technology (iCloud) was not breached. The lack of cyber hygiene on the part of the victims—the human element—was the culprit. The iCloud incident occurred simply because there were so many individuals with poor security practices on the platform.

Trend Micro’s Rick Ferguson explains how users can be more hygienic on the CounterMeasures blog:

  • If an online service offers options to increase your security, use them.
  • Do not reuse passwords across accounts.
  • Set knowledge-based reset questions—make sure only you know the answer. (For example, if hackers can look up your mother's maiden name on, they will.)

The Medical Field Is also at Risk . . .

Let's look at the medical arena, where information is dispersed across multiple entities, and we see a growing disaster. Rarely does a day pass without an announcement of a data breach. In mid-September, the Aventura Hospital and Medical Center reported its third breach in the past two-years. The most recent was caused by, you guessed it, the human element. An employee improperly accessed patient information, including names, birth dates, and social security numbers. While no financial or health information was compromised at this point, it did not take long for the data which had been compromised to be criminally monetized, such as through false tax returns. The technological controls at the medical center may have been top notch, but they apparently lacked the ability to detect the unauthorized access (and harvesting of 82,601 records) by an employee.

. . . And So Is the Retail POS Industry

And then we have the virtual tsunami of payment system breaches—Target, Home Depot, and Goodwill Industries, to name a few. They all had one thing in common: their vendors lacked system monitoring and audit capabilities. These three breaches touched hundreds of millions of individuals. The cost in unintended expenses for the banks, the consumer, and the many small businesses that are now updating records for both themselves and their clients, is also totaling hundreds of millions of dollars in non-recoverable burn. The unintended consequences of poor security procedures are that everyone pays for the individual’s lack of attention to detail.

So What's the Solution?

Some say the answer is in educating those who have access to the information. Others suggest that one should treat sensitive data the same way banks treat cash—a two-person rule, with close observation and checks and balances. It will not stop the human element from rearing its head, but it will increase the likelihood that it is noticed. Evolving the doctrine of "trust no one" and putting in place well-tuned verification software will be key to ensuring the homogenization of technologies and the human element.

Christopher Burgess

, Prevendra Inc.

password management

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community