Guide Objectives
- Understand data security risks related to human error
- Assess the likelihood of these errors occurring
- Assess your team’s knowledge and risks areas concerning data breaches
- Identify your key risk areas & mitigation strategies
Data is increasingly accessible from any device, in any location, and at any time. While this access to data is often beneficial for organizations, it does come with heightened risks of data breaches. With increased accessibility comes greater potential for malicious actors to disrupt the flow of business and program operations, causing harm to the organization and communities you work with.
Protecting your organization and the communities it serves from the harm of data breaches requires an understanding of where the risks lie. That being said, based on a 2023 study, 74% of data breaches involve a human element. This guide will focus on assessing the risks of human error leading to data breaches within your organization.
Guide Specific Disclaimer
As technologies evolve, so do data breaches and malicious tactics to disrupt organizations. While this guide addresses common risk assessment needs, supplement it with your own research, particularly if working in high-risk sectors and when working with vulnerable populations.
Develop an understanding of common human errors that lead to data security risks
The first step in this process is to understand the common errors that people make that can create data breaches. These can include the opening of phishing emails, use of weak passwords, improper handling of data, etc. As you will see, human error can often seem like a simple mistake, yet can have serious consequences for the organization, and the people the data represents.
Common Errors Include:
Opening of Phishing Emails – Unknowingly providing sensitive information, such as login credentials or financial data, to attackers over email
Weak Passwords – Using weak passwords, or reusing passwords across multiple accounts, making it easier for attackers to gain unauthorized access
Improper Data Handling – Leaving documents or devices containing sensitive information unattended or failing to properly encrypt data when transmitting it
Unintentional Data Sharing – Accidentally sharing confidential information with unauthorized parties through misaddressed emails, improper document-sharing settings, or social engineering (psychological manipulation) tactics
Lack of Security Awareness – Not being adequately trained or aware of security best practices makes employees more susceptible to social engineering attacks or risky behaviors
Insider Threats – Malicious actions by disgruntled employees, contractors, or partners who intentionally leak or steal sensitive information for personal gain or to harm the organization
BYOD (Bring Your Own Device) Risk – Use of personal devices for work purposes without proper security controls, potentially exposes sensitive data to security risks if the devices are lost, stolen, or compromised.
Failure to Update Systems – Neglecting to install software updates and security patches, leaving systems vulnerable to known exploits and attacks
Unauthorized Access – Accessing data or systems beyond authorized permissions, either due to curiosity or malicious intent
Data Breach – A data breach is a security incident in which unauthorized individuals gain access to sensitive, confidential, or protected information without permission. This could involve the unauthorized acquisition, disclosure, or use of data, potentially resulting in the compromise of data confidentiality, integrity, or availability.
Assess the likelihood of these errors happening within your organization
With a better understanding of what these common risks look like, you can now complete the Human Error Risk Assessment (XSLX). The purpose of this template is to help you prioritize and organize the risk assessment process. In this way, your organization can focus on assessing further those human errors that are potentially the most harmful or common, reducing the resource burden.
Starting with Column C, you will evaluate the likelihood of each type of error happening within your organization. You can use the following questions to help guide you in that process:
- What types of human error have led to data security issues for your organization in the past or that are currently happening?
- Whether or not it has led to a data breach, what type of human errors have you witnessed within your organization?
Identify the best methods to assess the risk of human error within your team
Next, in Column D, you will note how you can assess these risks within your organization. It may be the case that you will need to hold different assessments for different types of risks.
For example, the risk of opening phishing emails can be assessed by running a simulation – sending out an email from an unknown address and monitoring the click rate. Or, risks associated with BYOD could be assessed via a quiz that gathers insights on how that device is used outside of work settings.
For smaller organizations or teams, it might be easiest to hold discussions with staff to assess risk. Larger organizations may find this process unwieldy, and focus more on quizzes and simulations. It is important to choose the assessment method that is most effective for your organization.
To help you in this process, we have provided some external resources and questions that can be used for quizzes or interviews.
Sample assessment discussion questions include:
Password Security:
- Do you share your passwords with colleagues or use the same password for multiple accounts?
- How often do you update your passwords? Do you use processes or tools, such as password managers, to ensure the passwords are not easily guessable?
Data Handling Practices:
- How do you typically handle sensitive information in your day-to-day work?
- Are you cautious about sharing sensitive information via email or other communication channels? What precautions do you take?
Device Security:
- Do you lock your computer screen when stepping away from your workstation?
- Do you store sensitive data on personal devices or cloud storage accounts?
- Are you aware of the risks associated with using personal devices for work purposes (e.g., BYOD)?
- Are there other people who use your device, such as family members, outside of work?
Phishing Awareness:
- How do you recognize phishing emails or other social engineering tactics?
- Do you know how to report suspicious emails or security incidents to the appropriate authorities within the organization?
Incident Reporting:
- Do you know who to contact if you suspect a security incident or data breach?
- Have you ever encountered a situation where you made a mistake that could have compromised data security?
Run the assessment(s)
Once you have decided on the methodology, it is now time to run the assessment(s). Whether running it through staff discussions, surveys, quizzes, and/or simulations, there are a few key points to consider:
- Your assessment needs a high and diverse enough response rate to hold value – the goal is to make sure a good enough snapshot is provided to include responses from all types of staff (leadership, programmatic, operations, new, long time, etc.)
- Hold the assessment over a short period of time (two weeks at most) – the goal is to have a snapshot understanding of data risks associated with your staff, not to hold drawn-out reviews
- Develop a plan to reassess at least annually – this is important as staff behaviors change within an organization due to a number of things (new staff, accessible training, etc.)
Review results and identify key risk areas
After you complete an assessment, make sure the results are captured in the template. It is important to keep track of these risks in one place. You can fill out Column E of the Human Error Risk Assessment sheet with your results.
In these reviews, it is imperative that all areas of potential concerns are highlighted. You will want to also consider two areas when identifying key risks:
- Organizational culture – The way your organization runs, its leadership, and its use of data all should be taken into consideration. For example, if your organization works primarily remotely from shared workspaces, then if assessments showed people often leave computers unattended, that would be a particularly high risk.
- Sensitive data – Depending on who has access to sensitive data, some of the human error risks assessed may be of low or high importance. For example, if the CFO, who has access to all financial data, uses weak passwords at coffee shops, that is of high importance. If, however, a program assistant, with no access to sensitive data, does the same, that would be less important.
‘So what’ and next steps
Following this assessment, you will now be ready to begin a risk mitigation strategy. While this can be done by yourself, it is best practice to bring the results to your team or organization’s leadership to decide on how to improve on high-risk areas.
Remember, types of data breaches, and how they happen, are constantly evolving. We recommend you stay alert to risks that are associated with your sector and the communities you serve. To learn more about how you can keep your data secure we recommend these guides:
How to assess an organization’s data asset risk
Was this guide helpful? Please rate this guide and share any additional feedback on how we might improve it.