Australia recently enacted a new law that requires organizations to disclose breaches of personal data. The Australian Information Commissioner released its Quarterly Statistics Report for Q1 2018 and one of the findings is that about half of the breaches were caused by “human error”.
It occurs to me that human error is at the root of all these breaches. Those attributed to human error are instances where (apparently) the last action in the chain of events that lead to the breach was conducted by a human making a mistake.
But after that, it gets more nuanced. If we start following back in the chain of events, it seems like we will always end up with human error as a cause. For those that are “malicious or criminal attacks”, doesn’t the person clicking on a malicious link count as an error? Doesn’t the person who designed the environment in a manner that allowed clicking on a malicious link to lead to a data breach count as human error? What about the IT person that ignorantly exposed RDP to the Internet with a weak password? Or the manager that decided to save some money when implementing a system that caused patches to be delayed because the system can’t be taken down during the week? Aren’t all of those human errors, too? Why does the fact that some opportunistic criminal took advantage of these “upstream” human errors cause us to think about their causes differently?
Oh, and for those that ARE in the human error category in the report, I suspect that, similarly, the cause of the breach was not necessarily the person that “made the error”, but rather the person that designed the process in such a manner that allowed such errors to lead to a breach.
It seems clear to me that we really only consider the “end nodes” in the chain of events that lead to a data breach, and I suspect we will not make material improvements until we accept that we need to begin dealing with the actual causes of breaches, which happen much earlier in the chain.