The PICNIC Problem Posted by John on 15 October 2015

While much of the attention with respect to breaches focuses on cyber security and hacking, most breaches are in fact a result of staff acting in a deliberate but non-malicious manner. Not necessarily someone hacking the corporate network. From laptops being left on trains to inadvertently emailing thousands of people sensitive information, there are several reports that put human error as the top reason behind data breaches (80%-90%). For this reason the term ‘PICNIC problem’ was created (Problem In Chair Not In Computer). 

There are numerous cases studies that reflect how damaging getting the simply things wrong can be. One common cause we see time and time again is staff disclosing personal information freely. For example, a well-known mobile phone provider disclosing an address of an individual to two criminals who robbed her phone. (see case study https://privacyengine.io/). Another unfortunate example is a government department disclosing social welfare benefits to private investigators who extracted information on behalf of their client for credit rating purposes. Simply verifying the identity of an individual in line with a suitable policy would have prevented both these scenarios from happening.  

So what should a suitable policy in this regard look like and how do we implement such a policy?

In the event that a company has a call centre, or even if they receive incoming calls from customers, employees should have a script or a set of guidelines in place which specifies in what situation they need to verify the identity of a caller. Most companies would now have this structure in place, but still these types of breaches occur. The reason is not that the policy was not in place or even that people were not trained, although this is obviously sometimes the case. The reason is because the importance of doing this was not communicated effectively to the staff. People almost always don’t see the potential harm in doing what they are doing; this is called intentional non-malicious behaviour. We would always recommend that companies explain the ‘why’ to staff. In our experience this is a much more effective way of helping staff understand why it is so important to not disclose details of people to other people. 

In conclusion

There is an increase in disclosure of personal information by staff via a range of methods; over the phone, in corridors with colleagues, or using social media. In most cases people are not intentionally trying to damage the company or disclose sensitive personal information. In fact in many cases the person disclosing the information is trying to have a positive impact, however, the results are all too often negative. We would always recommend that in addition to having the correct policy and controls in place, companies try and explain the ‘why’ to staff. Increasing awareness may seem like an obvious enough programme to initiate and something that would go a long way in minimising intentional non-malicious breaches.