InfoSec Advisory with Del Aden…….The top 5 causes of HR data breaches


When it comes to protecting your company’s Human Resource (HR) data, “secure enough” isn’t good enough. Every enterprise today is a target for aggressive hackers, which is why data security should always be top of mind. Companies need to be proactive about defending against breaches — merely reacting to threats puts you several steps behind those malicious actors who want to breach your systems.

What type of data is most at risk in your organisation?

According to recent survey, the data most at risk is Financial Data, followed by your customer data and then your employee’s data!  This brings us back the issue around the security and confidentiality of HR data again!

So, what are the top causes of data breaches?

When securing your company’s network and data, what types of data breaches should your IT and security staff guard against? According to the 2020 Verizon Data Breach Investigations Report (DBIR), there are the five main causes of data breaches today:


This is the leading cause of data breaches today.45% of enterprise breaches involved some sort of hacking. Of these breaches, 80% involved brute force or the use of lost or stolen credentials – which are often associated with a company’s use of web applications.

Social Engineering

Almost a quarter – 22% — of breaches involve some form of social engineering. This is typically accomplished via the use of phishing to trick recipients into revealing their network credentials, or more personalized spear-phishing to fool recipients into initiating money transfers.  According to recent research, phishing attempts originated via email 96% of the time. Approximately two-thirds of social engineering attacks involved obtaining login credentials – close to half also scammed the victim out of their personal information.


These have become more common within the past year, now accounting for as many breaches as social engineering – 22% of all incidents. Errors come in all types and sizes, including misconfiguration errors associated with data stored on web servers and publishing errors resulting from accidentally making private documents available on a public server.


This used to be a bigger issue than it is today. Despite the steady popularity of financially-motivated ransomware attacks, especially in the public sector, malware has consistently declined as a cause of data breaches. It now accounts for just 17% of all incidents. This decrease is a result of hackers seeking faster and easier ways to breach a system, such as credentials theft via hacking or social engineering. Installing and managing malware is much harder work for a similar payoff.

Misuse by authorized users

This is the least prevalent cause of data breaches, accounting for just 8%. They involved some sort of misuse by authorized users – human error, in other words. People will always make mistakes, even when those mistakes result in data breaches.

Who is responsible for most breaches?

According to the DBIR, external actors are behind 70% of data breaches today. Of these breaches, more than half are conducted by organized crime groups interested solely in profit. Other external actors include state-affiliated groups (more interested in espionage) and various non-affiliated groups and individuals.

The remaining 30% of data breaches involve internal actors, typically end-users or system administrators. Some of these internal breaches are criminal in nature, but most are simply mistakes by well-intentioned but careless employees.

How concerned should you be about data breaches?

Most people have an image of the typical computer hacker as a young kid in a dark hooded sweatshirt, like the ones you see in Hollywood movies and TV shows. If you buy into that image, you might not take data security as seriously as you need to.

The reality is that today’s cybercriminals are members of well-trained, well-equipped, and well-organized cyber gangs out for financial gain.  Consequently, every organisation needs to take data breaches as seriously as the hackers do and prepare for them with all available resources.  That means using the available data to identify the most likely threats and guarding against them in all aspects of your organization – from IT to HR, etc.

But what can senior management do to protect HR data?

  1. Premium data deserves premium security

Rather than relying upon point-in-time security assessments and control, organisations should develop an iterative and transparent process that attests to their commitment to protecting critical data and intellectual properties. The good news is that Senior Management has the power to protect their employees’ personal data and the company’s bottom line. While this does require considerable time, energy, and effort, the results will be well worth it.

  1. Continuous employee training

Everyone wants to work for an organisation that educates, advocates and inspire its workforce, Consequently, organisations must provide thorough and continuous training to their workforce (most especially the I.T and the HR teams) so they may understand:

  • The risks of identity theft and security breaches
  • How to handle personal and their organisation data
  • How to recognize and prevent various cyberattacks

In this regard, it is worth noting that Delta3 International will be running an online training course in Data Management & Data Security.  Interested organisations should register their employees via our website (

  1. Develop a comprehensive cybersecurity plan

Work alongside your IT department to create a robust cybersecurity plan on how best to protect HR data. For example, working with your IT department and senior members of management, craft a document that outlines the best policies for handling, storing, and accessing the personal data of employees.

  1. Keep security on top of your mind

It pays to encourage your employees to keep security on top of their mind. That’s because informed employees usually make better decisions regarding their corporate security management such the use of stronger passwords, etc.

In conclusion, senior management of all organisations should understand the fact that “When You Protect Your Employees data, You Protect Your Company”.

Support Information Security in Africa by sponsoring this Weekly Article and promote your Brand

About the Author

As an Enterprise Architect and Information Security Consultant, Del Aden is an industry-recognized security expert with over 20 years of hands-on experience in consulting, training, public speaking, and expert witness testimony. As the Managing Partner for Delta3 International, Del now focuses on helping customers prevent security breaches, detect network intrusions, and respond to advanced threats.

An astitute speaker and trainer, Del is on the cutting edge of cybersecurity research and development. For comments, contact author: [email protected]  Phone / WhatsApp:+44 7973 623 624. Website:

Dele Aden



Leave a Reply