The PICNIC Problem & how HR should deal with it
While much of the attention with respect to breaches focuses on cyber security and hacking, most breaches are in fact a result of staff acting in a deliberate but non-malicious manner. Not necessarily someone hacking the corporate network. From laptops being left on trains to inadvertently emailing thousands of people sensitive information, there are several reports that put human error as the top reason behind data breaches (80%-90%). For this reason, the term ‘PICNIC problem’ was created (Problem In Chair Not In Computer).
There are numerous cases studies that reflect how damaging getting the simple things wrong can be. One common cause we see time and time again is staff disclosing personal information freely. For example, a well-known mobile phone provider disclosing an address of an individual to two criminals who robbed her phone. Another unfortunate example is a government department disclosing social welfare benefits to private investigators who extracted information on behalf of their client for credit rating purposes. Simply verifying the identity of an individual in line with a suitable policy would have prevented both these scenarios from happening.
As the years pass, these attacks become much more sophisticated. Now, the number one cause of concern is staff clicking on phishing emails, this is a major problem for companies. Phishing emails have become very convincing over the years and most companies have not trained their staff adequately so that they can spot an attack. If you're interested is seeing how PrivacyEngine can help test your staff susceptibility click on the link below to arrange a demo.
In one recent example, scammers deep faked the CEO's voice and convinced an unwitting employee to transfer almost $250k to their account. This is obviously a sophisticated attack, but the same underlying fundamentals would have prevented this. Is there a policy? Are staff trained, do they know what to look out for, and critically, do staff understand why these procedures are in place?
So what should a suitable policy in this regard look like and how do we implement such a policy?
As an example, in the event that a company has a call centre, or even if they receive incoming calls from customers, employees should have a script or a set of guidelines in place which specifies in what situation they need to verify the identity of a caller. Most companies would now have this structure in place, but still these types of breaches occur. The reason is not that the policy was not in place or even that people were not trained, although this is obviously sometimes the case. The reason is because the importance of doing this was not communicated effectively to the staff. People almost always don’t see the potential harm in doing what they are doing; this is called intentional non-malicious behaviour. We would always recommend that companies explain the ‘why’ to staff. In our experience, this is a much more effective way of helping staff understand why it is so important to not disclose details of people to other people.
There is an increase in disclosure of personal information by staff via a range of methods; over the phone, using social media, clicking on fake emails and even deep fake methods. In most cases people are not intentionally trying to damage the company or disclose sensitive personal information. In fact in many cases the person disclosing the information is trying to have a positive impact, however, the results are all too often negative. We would always recommend that in addition to having the correct policy and controls in place, companies try and explain the ‘why’ to staff. Increasing awareness may seem like an obvious enough programme to initiate and it is something that would go a long way in minimizing intentional non-malicious breaches.