Allow me to take you back to 1936, the year it became mandatory for each municipality in the Netherlands to keep a record of the demographics of their inhabitants. This was done with the most advanced data storage and processing system available at that time: by using punched Hollerith cards. After three years, each Dutch citizen’s personal information was stored, including a section called ‘heritage’, where your ethnic origin was entered. The year 1940 began. The civil registry, including all machines used to read and process its data, quickly fell into the hands of the Gestapo. Their mission became a whole lot easier to carry out, and I assume I do not have to expand further on the horrors that followed.
This might have been one of the first data breaches in history, or at least a hard lesson on what can happen if sensitive data falls into the wrong hands. Today, governments and businesses rely even more on data. What measures can be taken to prevent data breaches from happening? While media might focus on sensational hacking stories, most data breaches are made possible from the inside. Employee mistakes account for a big portion of why data breaches are happening. A secure company culture must therefore be developed.
One of the most important measures that can be taken is simple: employee training. Your employees should be aware of the dangers and the effects it can have on your organization. Teaching them the consequences will make them more aware of their behavior. Techniques such as controlled phishing campaigns could be used to make sure you know which employees might need further guidance and even which employees could event help out each other regarding cyber safety. One training per year will not be sufficient, it is important that their knowledge is regularly tested and refreshed.
Prevention is only one part of the puzzle. Each and everyone within your organization should know how to act when a data breach were to happen. Make sure your employees know who to notify, and evenly important: make sure they feel secure and comfortable reporting any missteps they might have made.
Perhaps the most effective strategy: think like the attacker. Although in 1939 no one could have even began to imagine what was waiting to happen, imagining there was someone out there would want to do harm with the data that they hard stored, could have saved a lot of lives.
Very interesting article! Never knew that the Hollerith cards played a role in the holocaust..
I completely agree that most breaches are made possible from the inside, but do you think that companies should train their employees is on their own terms? You could argue that this is a problem that everybody in our society faces with the new developments in digitization and security, not necessary only in the office. I would say that the companies should lobby with the national government to invest in education to train people earlier own in security and general digital awareness. For instance a mandatory course in high schools on media awareness with subjects as hacking, fake news, personal data etc. This would help people themselves in later life and the companies that they are going to work for. What do you think?
Hi Celine,
What a great read! It feels like not even a week goes by before there is a new data breach somewhere in the world. I often find myself thinking about data breaches and hacking as a new phenomena, so it was interesting to see that its an issue thats been around for quite a while, and that we can and should learn from our past mistakes. I also think that your example from WWII is a great way to try and convey how disastrous a data breach could end up being for us, and why widespread knowledge about how to prevent data breaches is essential.
You bring up an important point, in that most data breaches actually occur because of internal employee mistakes as opposed to large scale external attacks. People don’t realise how easy it is to fall for cyber attacks. The problem is that most most employees don’t know how to detect a possible threat, and I agree that extensive employee cyber training will be an essential tool for todays companies moving forward. After all, hacking is psychology and hackers will more often than not try to find the weakness of their targets. Having not yet had extensive working experience, but having completed a couple internships, It concerns me to think that I never received any kind of extensive warning or training about the possible dangers I could face spending most of my days on my work email and accessing documents on the companies internal servers.
I wonder though whether deploying internaly controlled phishing attacks on ones own employees would be an acceptable method of trying to solve the problem. Perhaps instead firms could educate their employees with examples of phishing, giving them the chance to study them and hopefully recognise them in the ‘real world’ when necessary. And with the rapid increase in hacking methods, I think, like you said, that employees need to be refreshed, trained and tested as often as possible.