We know that human error breaches are one of the largest causes of data breaches in Australia, and many of those result from team members sending personal information to the wrong person. Luckily, there are a host of technical and training measures you can take to reduce these risks for your organisation.
Fortunately, there are a host of technical measures you can use to reduce the risk of accidental disclosures of personal information. Here are some of the most common and most effective:
Highlighting when information is going to be sent outside of your organisation serves as a visual reminder to use additional caution when sending personal information – or confidential company information, for that matter.
This setting is easily configured by organisation admins within the Microsoft and Google email environments.
We strongly encourage you to set up customer or stakeholder portals to better manage how your organisation communicates with those externally. Whether you’re a university sending out letters regarding scholarships, or a bank sharing information about a person’s account, sharing information through a secure portal can drastically reduce the risk of a data breach via email.
If your operation is a little less sophisticated, you can also simply set up folders within SharePoint or Google Drive (or any other document management platform) and restrict access to the specific customer. Once you’ve finalised the communication to a third-party, you can move it to the specific folder and alert the person that there’s a new document waiting for them.
While you still need to train your team on processes to ensure the right documents end up in the right folders, you maintain greater control over what customers can do with the documents they access (ie. whether they can download them) and insight into what has happened with the documents.
You can use tools that automatically scan and quarantine emails containing complete sets of personal information, for example a full phone number, date of birth, license number, or Tax File Number. These emails can be halted before they’re sent out and potentially subjected to additional scrutiny if, indeed, they are required to be sent at all.
As a general rule, it’s a poor practice to manage personal information like this directly in email communications.
Finally, if your organisation sends physical mail containing personal and/or sensitive information, it’s worthwhile considering the use of secure mail services, including signature requirements through an in-person drop off.
While technical measures are important, and should absolutely be in place in your organisation. Training and empowering your team is vital. Here’s what the OAIC said on this topic, in its January-June 2024 Data Breach Report:
“Mitigating the risk of the human factor as a root cause of data breaches involves not only reducing opportunity for errors with technical measures, but also educating staff. All staff should be aware of their privacy and security obligations.
Reasonable steps entities can take include:
In addition to regular, customised training, here are some good practices for keeping privacy and security top of mind for your team:
We quite like this tip as it can improve your operations beyond privacy and security. It also really emphasises the ‘human’ aspect of your operations, which is really important – given that your human resources represent the biggest risk to your organisation’s data.
Offering emotional intelligence micro-learning opportunities for your team is a valuable way to help them upskill professionally and reduce the risk of privacy and security breaches. A critical aspect of emotional intelligence is being able to recognise when feelings of stress, fatigue, or being rushed crop up. When your team is aware that they are feeling a certain way, they are in a better position to manage those feelings.
Plus, it can help your team to identify phishing emails and other security risks. Emotionally intelligent workers may be better equipped to identify cyber threats that rely on human psychology – including a sense of urgency or playing to a person’s fears.
Again, we love that this tip focuses on the human side of privacy and security. While the penalties, organisation reputation and the hit to the bottom line are important considerations, at the end of the data, if your team shares someone’s personal and/or sensitive data with someone they shouldn’t have – it can feel quite violating.
People who are victims of data breaches, whether that’s through human error or ransomware, regularly report feelings of helplessness, lack of control, fear, and anger.
During our corporate trainings, we regularly encourage trainees to consider how they would feel if they found out their data had been handled a certain way as a guide for whether certain privacy practices are okay (or not). This takes the privacy and security considerations beyond just numbers and letters on a screen and really emphasises that there are real humans behind the data.
We’ve found that when your team is reminded of the humans behind the data breach, the preventative measures feel less burdensome or ‘over the top’. It also encourages team members to become advocates for data security and to think critically about what they’re doing day-to-day.
We encourage organisations to regularly practice highly relevant practice scenarios so their teams can run through what to do if a data breach occurs.
We love this approach because it can be handled at the supervisor/employee level, with supervisors creating realistic scenarios and having their team walk through what they would do in that instance. And it’s a relatively low-cost, low-barrier way to keep privacy top of mind.
Plus, these scenarios can be used to identify gaps in training and opportunities for increased technical measures before a data breach occurs.
Need help managing your organisation’s data? Reach out. Our team of privacy consultants is ready and able to help with cost-effective, tailored privacy training and to improve your organisation’s privacy posture. Get in touch via our online form.
Keen to get twice monthly privacy updates from us? Subscribe to our newsletter!
We share a monthly roundup of privacy news from Australia and around the globe, plus a monthly mailout sharing our blog posts and information about upcoming trainings, so you’re always in the know.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
