It was recently reported that Hillsview Academy suffered a huge data breach after parents were posted information about other pupils in the school. After a mailroom error the personal details of up to 100 students ended up the wrong hands. It was no surprise that the mishap caused outrage as the information received had everything from names, addresses, and their medical history right through to how the children get to school.
Whilst this was not an IT failure, this certainly highlights the prominence of human error. Human error is the biggest known cause of data loss. In this particular situation no IT tools could have helped; it was down to somebody doing a careless job. However, if a similar incident were to happen via email, there are numerous different products available to prevent such breaches.
It’s also worth noting that in May the long-awaited update to 1998 Data Protection Act is taking place – the GDPR (General Data Protection Regulation). GDPR is designed to protect personal information and comes with hefty fines for error or non-compliance. If Hillsview’s breach had happened post-May, the school could have received a fine of up to £20 million!
When it comes to IT, there are a number of products which we can help safeguard your business and take the worry out of human error.
Office 365 Information Rights Management
Office 365 has some great security features. Perhaps most notable for this situation is Information Rights Management. This enables users to grant and revoke certain permissions to recipients. For example, you can grant recipients permission to view the file, but not to edit the file. You might also prevent them from copying from the document, printing the document, and sending the document. IRM also allows you to rescind access, either manually or on a timer. So, you might automatically rescind access after 10 days for example.
In the case of Hillsview Academy, if this information were to be sent electronically, the sender could have immediately remitted access, keeping the information confidential.
Office 365 Documentation Classification
Azure Information Protection allows the classification of documents. You could for example label documents as being confidential and allow access only by certain individuals within your organisation. This prevents documents from being shared to the wrong users within the organisation, and, quite simply, acts as a reminder that users are dealing with highly confidential information.
Encryption is essentially turning a document into an unreadable format by jumbling up the contents. An encryption key (a password) is needed to encrypt and decrypt the contents. ESET Encryption enables you to encrypt much more than just a document; you can encrypt the contents of a memory stick for example, or even your entire machine.
For example, you might choose Full Disk Encryption which will encrypt your entire machine and require you to enter a password before your machine even starts up. You can also send encrypted emails. This would be particularly useful for the Hillsview Academy as each parent could have their own encryption key to decrypt their confidential information. Using ESET Encryption would mean that if parents were sent the wrong information, the encryption key would not match and therefore they could not access the information.
It’s worth noting as well that under GDPR, if an organisation suffers a data breach, but the breached information is encrypted, then confidential information has not been exposed. Of course, there would be lessons to learn from the breach regardless of whether the data was encrypted or not, but the chance of receiving a fine would be lessened.
If you have any concerns about data security, the impact of human error or the processes you use to handle data give us a call on 01642 309767.