Cybercriminals and hackers get most of the attention. Think no further than the WannaCry and Petya viruses. But private information is equally at risk when trusted organisations carelessly mishandle sensitive data, jeopardising reputations and confidentiality.
Just last month it was revealed that an SAS trooper’s secret evidence, given ‘in camera” to the Australian Senate inquiry examining the military’s use of resistance to interrogation training, was mistakenly sent to the very organisation he was criticising.
A transcript of the soldier’s evidence, which disclosed the identity of a senior intelligence official and revealed highly controversial training methods, was mistakenly distributed to every witness who appeared before the inquiry, including military and civilian personnel. The secretariat for the Senate standing committee apologised, saying it was an administrative error and that they are “dealing with the individual concerned.” Which was hardly helpful.
A few weeks earlier, home-schooling families in Victoria were distressed to find that details had been posted online about their children pulled out of school because they were bullied, had mental health issues or received inadequate support for disabilities. The blunder occurred when hundreds of submissions to the Victorian Education Department were uploaded to the department’s website without personal information being redacted.
Around the same time, the Department of Parliamentary Services in Canberra admitted that personal mobile numbers of many federal politicians, their staff and former prime ministers were inadvertently published on the Parliament House website.
Sadly, such failures are all too common and, needless to say, are not confined to government agencies. Think back no further than last December when the National Australia Bank mistakenly sent information including the names, addresses and account details of about 60,000 migrant banking customers to a wrong email account. The bank blamed human error and said 40 per cent of these customers had closed or had not used their accounts that year, and just under a third had balances of less than $2. That might have provided some reassurance, but the central issue is not the detail but how and why such human errors keep happening and what’s being done to prevent them.
Of course genuine online errors sometimes occur, and they can be very damaging to security and reputation. Consider United Airlines, still reeling from global condemnation of the violent ejection of an overbooked passenger. Just weeks later the embattled company came under renewed scrutiny when a flight attendant inadvertently posted on a public website their secret cockpit access codes. What followed were the usual apologies and promises to improve. But when sensitive information is disclosed and lives are affected, it’s too easy to fall back on phrases such as “No-one is perfect” and “Mistakes do happen.”
Most importantly for managers everywhere, such errors are never “just an IT problem.” While hacking and cybersecurity tend to grab the headlines, and the usual focus is system integrity, the risk of simple human error is a massive issue and crisis vulnerability. To crisis proof the organisation, what’s needed is detailed attention from the executive suite. Improvement to data security demands better resourcing, better systems, better training, better supervision, better personal awareness and greater accountability. The old joke was that the most dangerous component in a motor car is the ‘nut behind the steering wheel.’ In the online world, the most dangerous vulnerability just might be the careless individual behind the keyboard.