Human Error: The Root of 74% of Data Breaches

Human error remains a major security concern for organisations, but is often overlooked. According to Verizon’s 2023 Data Breach Investigations Report, 74% of data breaches over the last year involved human error, which included employees exposing data directly or providing cyber criminals access through mistakes.

Addressing this threat requires a comprehensive understanding of how human error impacts an organisation. Such errors typically fall into two categories: skill-based and decision-based.

Skill-based errors occur when employees make mistakes in tasks they are familiar with due to momentary lapses in judgement or concentration. An example is failing to properly shred confidential documents.

Decision-based errors happen when employees compromise sensitive data due to a lack of understanding or knowledge of the risks involved.

A human-error scenario

Imagine the following scenario within a healthcare organisation – a sector that’s no stranger to data breaches, with criminal hackers frequently gaining access to systems or data. The organisation is transitioning to a new EHR (electronic health records) system to improve patient data management and streamline operations. The IT department has established strict protocols for data security and access control.

One day, an administrative staff member named Sarah, responsible for entering patient data into the EHR system, needs to share a patient’s medical records with a colleague in another department for research purposes. The colleague requests the records via email, which is common practice within the organisation.

However, Sarah is not well-informed about the risks associated with emailing sensitive patient data. She lacks training on the organisation’s data protection policies and the risks of sharing sensitive information via unencrypted email. She believes that sending an email attachment with the patient’s medical records is a quick and convenient way to fulfil her colleague’s request.

Sarah sends the email without encrypting or password-protecting the attached file. The email contains sensitive medical information, including the patient’s full name, medical history and diagnosis.

Unfortunately, this decision-based error proves costly. The email is intercepted by a cyber criminal, who gains unauthorised access to the patient’s confidential medical information. This breach results in a violation of patient privacy and exposes the healthcare organisation to legal and financial repercussions, including potential lawsuits and regulatory fines.

A real threat

In this example, the decision-based error occurred because Sarah lacked knowledge of data security risks and didn’t understand the potential consequences of her actions. Adequate training and awareness programmes could have prevented this breach and protected the organisation’s sensitive data.

The consequences of human error can be financially devastating, often surpassing those of cyber attacks. IBM’s Cost of a Data Breach Report 2023 revealed that skill-based errors, such as BEC (business email compromise) and phishing scams, cost organisations millions per breach. These breaches also take longer to identify and contain, leading to increased damage.

Cyber Security for Remote Workers Staff Awareness E-learning Course

Tackling human error has become more challenging in recent years due to the rise in phishing scams: last year saw double the number of attacks in 2021 in the US.

To mitigate this risk, organisations can explore our Cyber Security for Remote Workers Staff Awareness E-learning Course. It’s designed to equip employees with the knowledge to work securely from home, covering risks like phishing scams and shared Wi-Fi network vulnerabilities.

You’ll also discover the steps you can take to secure your Internet systems and improve your remote-working experience.


  • Aidan Thornton

    Aidan Thornton is a Learning Designer and Product Evangelist with GRC eLearning. Mad about all things digital learning and compliance training!