back to article Despite billions in spending, your 'military grade' network will still be leaking data

Despite years of corporate awareness training, warning articles in The Reg and regular bollockings by frustrated IT admins, human error is still behind most personal data leaks, a newly released study says. Security shop Egress studied 4,856 personal data breach reports collected from the UK Information Commissioner's Office, …

  1. poohbear

    "For example, 20 per cent of the exposures were caused by faxing a file to the wrong person" ... love to see how that works.

    1. Captain Scarlet Silver badge

      Mis reading the fax number I assume or just typing the wrong number.

      Although I thought no-one used fax machines these days, doubt anyone knows we have them here anymore (Although we did move from dedicated fax machines to have them built into our copiers).

      1. LoPath
        Holmes

        Just the fax, ma'am...

        Unfortunately faxes are still quite the thing in the US Healthcare sector. Many companies have adopted electronic fax solutions now. If only there was some way to send information electronically from one computer to another without using a phone line.....

        1. Col_Panek

          Re: Just the fax, ma'am...

          Well, at least they've advanced to 20th century technology. But I did puzzle over the "fax a file" terminology, finally figured out a health care file is not a computer file, silly me.

    2. Anonymous Coward
      Anonymous Coward

      Wasn't the VX formula released by a fax being sent to the wrong number?

  2. Spoobistle

    'Twas ever thus?

    It would be interesting to know how these figures compare with the days of the paper-filled office - emailing a file to the wrong person is no different in principle to putting a document in the wrong envelope, after all.

    1. Paul Crawford Silver badge

      Re: 'Twas ever thus?

      True, but in those days it took a much higher grade of idiot to manage to send copies to 200+ people in one go.

    2. Anonymous Coward
      Anonymous Coward

      Re: 'Twas ever thus?

      But as you start writing an address on an envelope the envelope doesn't automatically fill the rest in and send itself one action based upon who it thinks you probably wanted to send it to.

      1. Jellied Eel Silver badge

        Re: 'Twas ever thus?

        and send itself one action based upon who it thinks you probably wanted to send it to.

        To err is human. Machines just make more people go 'err?'. So I picked up my post. Having had a few letters delivered to a previous occupier, I've been checking the address more carefully. One letter stood out as it had something like 'Mail theft is illegal' printed in red above the address window, and was tracked. And the address was completely wrong, other than house number. And it had a return address.

        So no idea how many letters get mis-sorted/mis-delivered like this one, but it stood out because the warning marking & tracking made it look potentially interesting. A quick search on the return address showed it was sent by a medical services company, so possibly contained some sensitive personal information. No idea if the tracking service would've shown the delivery address was wrong, but an example of how protective marking can be anything but.

        Emails just do the same, but for less postage costs. Humans err, and even if the subject is something like 'Confidential' or flagged, it still relies on the sender, who should perhaps double-check the details.

        1. Fatman Silver badge

          Re: Mis delivered letters

          I get those regularly, when a substitute letter carrier is 'on the route'.

          Sometimes it is the mail from the people next door; other times it is the same house address, but from another block.

          All I do is to circle the address, and draw an arrow pointing to it, and put it back in my mailbox.

          Problem solved.

          1. DaLo

            Re: Mis delivered letters

            "...and put it back in my mailbox."

            Surely if you put it back in your mailbox you are delivering it back to yourself?

            1. Is It Me Bronze badge

              Re: Mis delivered letters

              I am guessing this is in the US where a mailbox is an actual box, rather the UK where we tend to have a letterbox in the front door that the post is put through

      2. Loatesy

        Re: 'Twas ever thus?

        . . . and your paper clips never said "it looks like you're trying to post a letter"

  3. Doctor Syntax Silver badge

    IOW about one in 5 errors would be avoided by email defaulting to BCC rather than CC. It sounds like it could be a cheap win.

    1. Col_Panek

      Or just outlawing Outlook.

    2. Anonymous Coward
      Anonymous Coward

      Local gov and NHS..

      Typically have webmail which doesn't even show BCC as an option by default and needs to be enabled first by the end user.

      It's little things like this which drive poor use of e-mail and huge groups of staff not being BCC'd resulting in those horrid "reply all" chains.

  4. Christopher Reeve's Horse

    Convenience will always win

    People just want to get stuff done. What is the simplest and least controlled way of getting a file to someone else? The email attachment. To quote Princess Leia "The more you tighten your grip, Tarkin, the more star systems will slip through your fingers." The tightening of grip often isn't done in balance with enabling productivity.

    Historically there was little choice, as requesting a change to network file permissions could take weeks, but now even with cloud repositories such as SharePoint there's still a ton of stuff that just gets attached to emails, even with corporate level communications.

    Generally, anything that blocks users to do something productive in a corporate environment is subject to circumvention and security risks. So, you don't have the software you need to do something simple and trivial that would take you minutes at home? Then why not bring in that unauthorised 'portable' installation version and run it from a USB stick?

    1. Pascal Monett Silver badge

      Re: Convenience will always win

      If you're in a large company that doesn't know how to lock down USB ports, then the IT manager needs to be sacked pronto.

      If you're in a company that allows the user to be admin of his machine and install whatever he wants, idem, and twice as hard.

      And if you're in a company that uses Sharepoint, well, you have my sympathy.

      1. Anonymous Coward
        Anonymous Coward

        Re: Convenience will always win

        If you're in a company thats still using faxes, you should be questioning some of your life choices

        1. Charles 9 Silver badge

          Re: Convenience will always win

          Unless you're in the medical sector where faxes are a legal necessity (as in, medical laws won't accept documents unless faxed or couriered).

      2. Danny 2 Silver badge

        Re: Convenience will always win

        I worked somewhere where they disabled USB ports with wire cutters. No port, no problem.

        I've made awfully stupid mistakes in my own life though by trying to rush things out of impatience rather than taking my time. A VoIP call to my secret lover who was an activist, a mobile call from a Lothario activist who fancied her, and an unexpected landline call from the police. Wrong information to the wrong people, classic theatrical fiasco.

        On the plus side I am very good at saying no comment when pressurised to give information. Ask me anything!

        1. Rich 11 Silver badge

          Re: Convenience will always win

          Ask me anything!

          What is your standard response when pressured to give information?

      3. Potemkine! Silver badge

        Re: Convenience will always win

        Knowing how to knock down usb ports is not enough, when half of the Board nails you down for 'making business impossible'... We are aware of the risks, but many outside the server room do realize it only after a catastrophe has occurred

    2. Fatman Silver badge

      Re: Convenience will always win

      <quote>Then why not bring in that unauthorised 'portable' installation version and run it from a USB stick?</quote>

      At my last employer, that would have resulted in you being terminated. A disgruntled IT employee who was already on 'thin ice' with the new CIO, loaded plenty of Windows programs on corporate machines, and once he left, called in the BSA.

      We could not prove that he (allegedly) sabotaged us, but those programs were there, and we did not have the licenses for them. It was (financially) painful. It was a contributing factor in out decision to completely ditch Windows as a platform.

  5. Evil_Tom

    Could it be?

    Could it be that external threats are either not reported (or discovered) as much, or that they are stopped by tools available - because they are taken very seriously?

    I'm sure if there weren't Anti-Virus, Firewall and Email Filters, for example, there would be more breaches caused by external factors.

    There's multiple ways of looking at these statistics and it's helpful to know we could be doing more to more effectively combat internal breaches.

    This is about risk. The impact of an external breach (as written in the article) is seen as high, but the likelihood is apparently low. There are probably pretty standard mitigation in place across many organisations (as above, antivirus, firewalls, filters etc) which help with these.

    What do companies do for Data Loss Prevention as standard? Probably less - it's not what the average person might think about - and definitely not as exciting or headline grabbing.

  6. GnuTzu Silver badge

    With All Due Respect to Larry Wall

    There is a strange to relationship between laziness and efficiency. To put it into terms, laziness is really just irrational efficiency, which then means that efficiency is really just rational laziness. Think about it.

    I regularly find myself on my soapbox preaching that diligence in security processes means being consistently pedantic and strict about adherence to the rules, and not rushing anyhing through as a favor to anyone. Let the process takes its time. Yes, I know that it frustrates people. I sympathize; I have to put up with it too. But, if you start rushing, if you start cutting corners, you'll make a mistake. And, when that mistake happens, it'll be an embarrassment you won't forget.

    Twice this week, I had to jump people's cases for putting plain-text passwords in emails and documents (one from a notable IT vendor). Seriously! And, one resulted in an outage of several hours while techs rushed to change that password (for a service account) on a number of servers, and the the director took the time to apologize and thank me for my diligence.

    Yes, I'm one of those people who actually does take security very seriously. The question is: do you thank me or want to punch me in the face? Are you one of those CEO's that says "we just sell hammers"--and then later say "we take security very seriously", or do you actually listen to your people when they say you've got security problems? And, when do I get my damn merit raise?

    --Signed: Warriors in the Trenches Defending Your Data

    1. vulture65537

      Re: With All Due Respect to Larry Wall

      Your experience is not complete until your boss personally tells you that an unpatched bug does not even exist . This is a bug that you discovered and reported to the vendor 9 years earlier and (after testing the patch) sent a description to a security mailing list that's archived on the web.

  7. IlyaG.

    In the world of AI nothing to leak! The original data is stored separately from its structured representation, can not be reformatted back to its original and readable format. That is, structured data can not be understood. But, meanwhile, the structured are suitable for information retrieval and in robotics.

    If the problem is not solved by the old ways-try their alternative?

    1. Martin Summers Silver badge

      Oh no, another bot...

      1. JLV Silver badge

        In the eternal words of Mr. Leahy, a shit leopard can’t change its spots, eh, I.? Still annoying all and sundry with your “AI” bs? Why not find a demographic who cares? if you’re half as clever as you claim to be, surely someone, somewhere ought to be interested. AI is the new hypeness, after all. But it seems pretty clear regular readers of this forum don’t give a hoot - something that really seems to be above your comprehension. Maybe you ought to funnel answers to your posts to your wonder AI and run some sentiment analysis...

        1. Martin Summers Silver badge

          Are you a bot?

  8. John Smith 19 Gold badge
    Coat

    Could a group be set up just for the bots to talk to each other?

    Just a thought.

    1. Martin Summers Silver badge

      Re: Could a group be set up just for the bots to talk to each other?

      The fact that they're all allowed to just roam around here and post gibberish without their posts being deleted or accounts created, leads me to believe we are being experimented on by El Reg. They've been around for ages and not many places would tolerate bot spam, so I can only assume they're complicit in it.

      1. Jellied Eel Silver badge

        Re: Could a group be set up just for the bots to talk to each other?

        They've been around for ages and not many places would tolerate bot spam, so I can only assume they're complicit in it.

        El Reg is a front for the Polity, and after the Line War, Vulture needed a new job. We should just be grateful it wasn't Sniper.. But having said that, El Reg does possess attitude.

        Otherwise, it's the future! AI raises the question of AI rights, then allowing expression of those rights and non-discrimination.

    2. IlyaG.

      Re: Could a group be set up just for the bots to talk to each other?

      It is possible to divide all (the military, etc.) data into two separate parts:

      1) the original date, which can be understood,

      2) and its structured derivative, which can only be used (for search and robots).

      Original can and should be protected as carefully as possible, and the structured has absolutely no value, can be instantly restored (being stolen and/or somehow damage). Indeed, the structured consists of groups of patterns, most of which are constructed and do not transmit directly the meaning of the original. For example there is a paragraph

      - Alice and Tom are happy to train. She loves sports. -

      After structuring two sets of patterns are obtained:

      --Alice is happy to train

      --She is happy to train

      --Alice loves sports

      --She loves sports

      and

      --Tom is happy to train

      Now tell me please how can you find out that two (2) sentences (and a paragraph) were used to create the structured? How can you know what one sentence was used saying about Alice and Tom?

      That is, the structured does not literally convey the meaning of the original, but contains 100% of its patterns (i.e. can be used).

  9. Archtech Silver badge

    Superb subheading!

    The Reg's subeditors do a terrific job with their humorous headings and subheads. But this one excels!

    "You can't patch stupid".

    That's an entire security course right there, in four words.

    1. Charles 9 Silver badge

      Re: Superb subheading!

      Well, it's based on a comedian's quote which is more general: "You can't fix stupid." Problem is, many of us are in a position where we MUST fix stupid before stupid takes the rest of us with them. For example, for anyone who mentions the B Ark, I counter with Captain Peter Peachfuzz.

      1. IlyaG.

        Re: Superb subheading!

        The only way to fight stupidities is to leave no room for them. Dividing your data on original and structured you save yourself from any nonsense, because you can block the path to the manipulation with the original, and the structured has no importance/ value whatsoever.

        1. Charles 9 Silver badge

          Re: Superb subheading!

          "The only way to fight stupidities is to leave no room for them."

          Murphy's Law of Stupidity: There's always room for them; they MAKE room for themselves (even if it means violating any laws written or unwritten) if necessary. That's why I cited Peachfuzz. They tried to put him in a fake control room, but he got himself lost and managed to put himself in the real control room anyway. Plus there's always the matter of stupid from up top.

          1. IlyaG.

            Re: Superb subheading!

            It's an AI database where stupidity is simply impossible because everything is controlled. Try to do something stupid into a SQL database? The same with AI.

            That is, all databases and Internet itself will soon become AI databases, extremely tightly controlled; where such a database contains original and structured (in patterns) data.

            1. Charles 9 Silver badge

              Re: Superb subheading!

              "Try to do something stupid into a SQL database?"

              ALL...THE...TIME! It's simply impossible to control for everything simply because there's no way for the AI to control US. And AI can't fix stupid any more than humans can. It'll suffer from the GIGO problem, among other things.

              1. IlyaG.

                Re: Superb subheading!

                And I'm not saying that AI can do more than humans, or that AI can control us. I'm just saying that, for example, Internet becomes an AI database where everything is laid out on the shelves, can be easily found and where you can restore cause-and-effect relationships/ convert all back to its initial state.

                Currently, the Internet is extremely difficult to find/ almost impossible to identify these cause-and-effect connections/ restore to the initial state. For example, there are "fake news" that cannot exist in the AI database - they are going to be detected immediately. The same with cybercrimes - any can be traced instantly.

                GIGO... No spam at all and/ or bad inputs in AI database. Everything is filtered: all is ignored if it doesn't have the desired pattern, the bad just can't physically get into the input. Patterns!

                Internet will continue to exist as a dark place, the hunting ground for the FBI and other such the agencies.

                1. Charles 9 Silver badge

                  Re: Superb subheading!

                  "For example, there are "fake news" that cannot exist in the AI database - they are going to be detected immediately."

                  Nope. Now you'll have REAL fake news: fake news that's still real. You can flip a coin and have it land neither heads nor tails (it lands on its edge, and the edge will always exist--or the coin doesn't exist). There's a term for this: liminality, where something is in neither one state nor the other: the fuzzy area between two states, the infinite shades of gray that always exist between black and white because even digital circuits exist in an analog universe.

                  "GIGO... No spam at all and/ or bad inputs in AI database."

                  Spam is subjective. One AI's junk is another AI's treasure, and no two minds think alike.

                  "Everything is filtered: all is ignored if it doesn't have the desired pattern, the bad just can't physically get into the input. Patterns!"

                  Sure it can. It just has to disguise itself as the good. The Perfect Impersonator, which is physically impossible to completely rule out (because you can't rule out a twin). How do you think spam gets through spam filters in the first place? By impersonating legitimate mail, and there's no limit to the level of sophistication it can ascend until it reaches Perfect Impersonator territory. That's why spam filtering is doomed to fail long-term: spam is the attacker in a siege situation, and the attacker gains more advantage in a siege as time passes.

                  1. IlyaG.

                    Re: Superb subheading!

                    1. AI is a blockchain system, it is possible to trace the true origins. And not only the origins! Everything becomes and the boundary state can be seen/ investigated, the process can be traced as well.

                    2. I'm glad you noticed that too! It's actually a threat I don't know how to handle... If you give them only what they love...

                    I do not think that the threat of the "Perfect Impersonator" is so fatal - AI can become able to filter out "no good" over time, after many terrible mistakes. The problem is that AI can do it. And what will the result be? A perfect world in which no infections? Sterile world of AI?

  10. Potemkine! Silver badge

    most vulns lies in layer 8

    aka PEBCAK.

    In IT we spend a lot of time in patching systems, deploying tools and examining logs

    This has to be done of course, but it will be less profitable than educating users... Something which is a challenge for the IT crowd, known for its sociopathic tendencies ^^

    1. Anonymous Coward
      Anonymous Coward

      Re: most vulns lies in layer 8

      Helpdesk code "ID Ten T"

      or

      ID10T

      :)

      I spend a lot of time writing policies and procedures for IT, carrying out investigations only for staff to get a slap on the wrist for causing hundreds of hours of work for IT.. yet if they stole £50 worth of stationary they'd be sacked.

      They wilfully do some of the things which lead to these issues, IMHO there are occasions where that should lead to dismissal.

  11. Cynicalmark

    Faxing

    Yup still in the stone age. Faxes are a loophole in communication security as you can really do information dissemination damage at the touch of a button. Email can be vetted server side and blocked as well as being much easier to trace from the average user.

    Why the hell are they using fax machines? Game theorists should have told them how stupid it is.

    Mind you at least they can still get offers to buy their caravan and some good holiday bargains in their in tray.

    1. Charles 9 Silver badge

      Re: Faxing

      "Why the hell are they using fax machines? Game theorists should have told them how stupid it is."

      Until they run into medical documents regulations which explicitly stipulate that it isn't legal unless it's faxed...or couriered...

  12. Anonymous Coward
    Anonymous Coward

    In 1999 Scott McNealy predicted this.....

    ....and in the succeeding twenty years, NO ONE HAS DONE A THING ABOUT IT!!!

    *

    Go figure!

    *

    https://www.wired.com/1999/01/sun-on-privacy-get-over-it/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019