Humans Are Leak Machines

In partnership with

Every year, I have to endure information governance training. It's a tedious slog through online "lessons" and "courses" that costs me a day of time and about a week’s worth of joy. There are no words to convey the boredom and frustration - for the evening after, I see multiple-choice tests whenever I close my eyes. But this training doesn't just tick a box and let me access patient information, it's an important tool for keeping the nation's medical records safe, and we have a stunningly low rate of data breaches.

My lessons range from esoteric scenarios around trading privacy for patient safety and quality of care - not to mention arrangements around complying with law enforcement - to simple rules like using strong passwords, not sharing login credentials and not (and I can't stress how simple this one is) communicating through unauthorized messaging apps.

What the hell were the White House Gang thinking? Authorized communication channels exist to prevent unauthorized people seeing things they shouldn't. And they are administered by competent security staff who take care of things like defences against hacking, data availability and fidelity, and - pertinent to last week - mitigation against user error. I can not, for instance, send a message to someone outside the national health service without my email halting the process, detailing who I'm about to message and waiting for me to confirm that the message should be sent. It's basic information hygiene. Sending war plans over a messaging app after accidentally including a journalist in the chat should be inconceivable.

But it isn't. In fact, it's never been inconceivable. The line that this sorry episode is no big deal because many people make this kind of error is wrongheaded and dangerous, but many people do make this kind of error. Also last week, dumped information about British soldiers was found littering a street. And, over recent years: Australian authorities sold filing cabinets that still had confidential files in them; US military personnel revealed their locations by carrying tracking apps on runs; an Irish police laptop was left in a Dutch brothel; the British COVID enquiry revolved around conveniently lost WhatsApp messages; and so many photos of important people have revealed passwords on sticky notes in the background.

The blunt truth about data security is that human error causes almost all problems. You can fold as much security into technical infrastructure as you like, even to the point that it is theoretically impossible to hack, and it'll mean nothing if someone leaks their login details. Some personal email providers, for example, offer zero-access encryption. This is well worth considering because it ensures that nobody - not even the provider - can access your data (and some major email providers do access it!). The downside is that you, and only you, are responsible for remembering and backing up your password. Forget it, and you're locked out of your account forever. Back it up insecurely, and it might be stolen. With true privacy and security, comes inconvenience.

And historians might remember convenience as the malaise of the information era. Few people want an email address that they can lock themselves out of, so they allow their provider to store passwords on their behalf. Fine, but it's so easy to slide down a convenience pathway. You share a little more information than needed in a video meeting. You keep an unnecessary document open on your laptop. You read a confidential report on a train or forget to lock your screen when you leave a room. Eventually, something bad happens.

Granted, not as bad - or as stupid - as discussing a bombing campaign on a messaging app after accidentally including a journalist. But I'd wager many of us, in our own universes, have had a share of near misses. Which is why people who handle sensitive information must have regular information governance training. It's not just about revising the basics, the most important part is that it serves as a cue to get off the convenience slide and tighten up one's discipline.

Passwords that might be a little too similar to each other get purged, you ensure that the backup codes to 2FA solutions are available, you double-check that you're shutting down laptops before travel and you review the the discipline of the staff who report into you.

That last part always makes me feel like a pedantic headmaster - and I thank the stars that I rarely have to be anyone’s boss - particularly since any information leak in my world, no matter how little damage it causes, is a significant incident. Reports are filed, senior managers notified, “learnings” learned, and the staff member spends a few days walking on eggshells.

In extreme cases, you fire them.

The newsletter every professional should be reading

There’s a reason Morning Brew is the gold standard of business news—it’s the easiest and most enjoyable way to stay in the loop on all the headlines impacting your world.

Tech, finance, sales, marketing, and everything in between—we’ve got it all. Just the stuff that matters, served up in a fast, fun read.

Look—over 4 million professionals start their day with Morning Brew’s daily newsletter, and it only takes 5 minutes to read. Sign up for free and see for yourself!

Check it out