How to prevent data breaches caused by human error

Human error contributes to up to 95% of data breaches, according to a recent 2024 study by Mimecast. Despite sophisticated cybersecurity tools, a single misdirected email, weak password, or accidental data exposure can lead to severe financial and reputational damage. 

In December 2024, Lloyds Banking Group experienced a serious data breach due to human error. A customer received a package containing detailed financial statements of other clients' investments. The exposed information included names, addresses, and portfolio movements.

This incident is a significant reminder that human error remains a critical risk in data security, and that organisations of all sizes must ensure robust data handling procedures are implemented. 

Organisations looking to strengthen their data handling and reduce risk exposure can benefit from external expertise. PGI provides tailored GDPR & DPA consultancy to help teams build secure, compliant processes that reduce the likelihood of human error leading to data breaches.

Although some level of human error is inevitable, implementing the right controls, procedures and training can significantly reduce the likelihood, cost, and overall impact of data breaches caused by human error. 

What is a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

The UK GDPR mandates that organisations must:

• Understand how to recognise a personal data breach
• Have robust breach detection, investigation and reporting procedures in place
• Ensure their staff know how to report security incidents appropriately

Failure to comply with GDPR regulations can result in significant fines from the Information Commissioner’s Office (ICO).

How human error leads to data breaches

Even the most well-protected organisations can fall victim to breaches caused by simple mistakes. While no organisation can completely eliminate human error, a lack of awareness, internal processes and training can significantly increase the risk of mistakes occurring.

Some of the most common errors include:

• Misdirected emails – Sending sensitive information to the wrong recipient.
• Weak or reused passwords – Making it easier for hackers to gain access to systems.
• Falling for phishing scams – Clicking on malicious links or providing login details to attackers.
• Using a public Wi-Fi network – Exposing sensitive data on a work device to hackers through an unsecured connection.
• Misconfigured systems – Leaving systems or applications exposed due to incorrect settings, making them vulnerable to attacks.

Although these errors seem minor, they can result in data leakage followed by severe financial penalties, regulatory fines, and loss of customer trust.

Build a strong internal data security framework

Human risk management should form a key element of your overall risk management strategy.

Human error is inevitable, but a well-structured data security framework can minimise opportunities for mistakes and limit impact when they do occur. By implementing clear policies and procedures, organisations can significantly reduce the likelihood of accidental breaches.

To ensure your organisation is handling data securely and is compliant with data protection regulations, you need to adopt a structured cybersecurity framework, implement security controls, follow information assurance best practice, and create a culture of security awareness.

Adopt a cybersecurity framework

A structured framework will help you to standardise security practices and ensure compliance with data protection regulations.

We recommend the following:

• Achieving Cyber Essentials (Basic or Plus) – A government-backed certification ensuring the most fundamental IT security measures are in place.
• Conducting a Gap Analysis – An assessment of your existing information security measures to identify areas for improvement.
• Implementing ISO 27001 – A globally recognised standard for more mature organisations needing an advanced information security management system.

Strengthen IT controls

Minimising human error requires a combination of technical safeguards and clear policies. Enforcing the ‘principle of least privilege’ ensures employees only access the necessary data that their role requires and reduces the risk of leaks.

Restricting external email access for employees who don’t need it reduces accidental data leaks. For those who do, Microsoft 365 offers encryption on outbound emails and attachments, allowing rights to be revoked if sent in error. Delays on emails with attachments provide time for corrections, while blocking large or high-risk file types adds another layer of protection.

Beyond email, limiting external file sharing in Teams, OneDrive, and SharePoint prevents unauthorised data exposure. Web filtering and Cloud Access Security Brokers (CASBs) can block unapproved SaaS apps, file-sharing sites, and personal email providers.

These controls create a security-first culture, limiting unnecessary access to data, and reducing the risk of data breaches.

Educate your staff

The saying ‘you’re only as strong as your weakest link’ isn’t new. Your people remain the first and last line of defence when it comes to cybersecurity, and proper training can significantly reduce human error, raise awareness and strengthen your organisation’s overall security posture.

• Data protection awareness (DPA) training for all staff should be completed as part of your onboarding process, and should be repeated at least once a year, or every six months if your organisation handles a lot of sensitive data. 
• Cybersecurity training, such as phishing awareness, helps to equip staff with the knowledge to handle threats effectively. 
• Ensure that your staff are aware of internal reporting processes.
• Send regular comms to staff to raise awareness around information security, updates to any policies or processes and relevant risks. 
• Encourage a security-conscious culture, where there’s an open environment for your staff to ask questions and discuss any concerns. 

Although human error can never be fully eradicated from any organisation, a combination of strong technical controls and practical measures can help to minimise mistakes that could result in a costly data breach. 

At PGI, our Information Assurance and GDPR & DPA consultancy services are designed to help organisations of all sizes strengthen their resilience against data breaches, particularly those caused by human error. Our team combines technical expertise with a deep understanding of regulatory frameworks to deliver pragmatic, actionable guidance.

Get in touch with us today to find out more about how we can help secure your organisation and ensure you remain compliant with evolving data protection regulations.