Three Mobile has become the latest victim of a high-profile cyber attack, with the data of six million customers potentially exposed after hackers successfully infiltrated their customer upgrade database, using an employee's login details.
Whilst full details are yet to emerge about how the hackers got this information (the employee could have accidently shared their details, accessed their account on an insecure network, or simply had a weak password that was easy to crack), it's clear that human error played a part.
This isn't new and high-level data breaches caused by human error are not an uncommon occurrence - large scale hacks of Sony and the Pentagon over the last few years were caused by simple phishing emails to staff. Recent research from CompTIA found that 60% of UK businesses say that human error is a major contributor to security risks, with general carelessness and IT staff failing to follow policies being the main causes, showing that the capability of employees to protect data is a concern across the board.
Three now faces massive repercussions, from reputational damage to potential fines, and their customers could feel the effect of this hack for months or years down the line. But, what's really galling is that this wasn't the result of advanced hacking techniques, but something so easily prevented.
If businesses want to prevent attacks like this happening, they need to ensure that everyone has basic cyber hygiene: that they know the basics to prevent a breach, how to spot potential attacks and understand the implications of their actions on the wider company, and even economy.
Technology is no longer just the remit of the IT department. Every employee, from the receptionist through to the CEO, uses IT systems every day. If staff do not have the necessary knowledge and tools to recognise when they are under threat or acting unsafely, how can they be expected to keep information safe?
This is why training and educating people to remain secure is so important. If staff members understand that accessing private information on an insecure server can lead to someone else stealing it, or that while a weak password is easy to remember it also leaves you highly vulnerable, they are far less likely to fall prey to attacks. Much is said about the need to upgrade systems and implement security processes to reduce risk, but this will be wasted investment if you don't also train your staff.
Fortunately, we are beginning to see initiatives being put in place to help ensure staff and businesses remain secure. Schemes such as GCHQ Certified Training is helping organisations identify relevant cyber security training programmes, while programmes like CompTIA's CyberSecure are allowing businesses to educate their staff in the fundamentals of cybersecurity in the workplace. Tools and initiatives like these mean that employees have access to a bank of information on where threats lie and how to combat them, ensuring that everyone in an organisation has the capability to keep information secure.
The threat of cyber-attacks isn't going away any time soon and Three will not be the last organisation to face such issues. Businesses need to wake up to the risk their employees pose, and ensure that they give them the tools to become the first line of defence, whether they work on the front desk or at boardroom level. Education is the most powerful tool we have in the battle against cyber attacks, and the more everyone is aware of how to keep safe, the more we are able to remain secure, protect customers and keep valuable information in the right hands.