We may not hear about data breaches every day, but that doesn’t mean that the risks don’t exist. In fact, billions of sensitive data points are regularly leaked every year, costing an average of $4.9 million globally. What is more worrying isn’t the fact that data breaches are still happening. Ultimately, we live in a fast-paced technological area, so, of course, businesses expect cybercriminals to move fast and bring new and more evolved methods every time. But, for over 9 in 10 cases, the breach is the result of human error.
This doesn’t necessarily mean that there was no prior criminal targeting and profiling that may have contributed to the error. This means that, for professional environments, the priority is focus on a cybersecurity strategy that is designed to prevent human errors, whether they are accidental or calculated.
What can companies do to manage the human factor in their data breach prevention policies? Here are some ideas to get started.
#1. Defining Data Access Needs
The first and most important question every organization needs to ask is the following: Who has access to sensitive data?
There is no denying that you can’t work without allowing some access to confidential data as part of operational requirements. However, it is essential to understand that confidential data do not need to be shared across the board at all times. That’s where role-based access control comes into play.
What is the purpose of role-based access control?
- Define which roles need data access
- Determine different data access rights
In other words, not every employee needs to have access to sensitive data to start with, and those with granted access may have different rights when it comes to working with data:
- Viewing
- Manipulation for analysis and reporting purposes (aka no modification made to the data)
- Editing some data or editing the whole set of existing data
- Adding/removing data or data sources
- Sharing data with others
Clearly defined data access may also come with additional verifications as part of role recruitment, such as ensuring that someone with full access is trustworthy. The goal here is to keep full access limited to a small number of employees, rather than the whole company.
#2. Creating Structure Data Management
Ultimately, it is pointless to define clear and strict data access roles if your data management strategy puts confidential data in front of the wrong demographics. Data management is essential to ensuring that only the roles responsible for data editing and manipulation can perform their tasks on data.
This starts with a reliable and secure database solution that can do a number of things for your company:
- Manage the volume of data the business receives
- Implement user rights that match your data access roles
- Integrate with other solutions without compromising data access roles
- Keep data organized and labeled correctly
The last thing you want is for data that is supposed to be sensitive to become readily available to a large group of employees through your database solution.
#3. Control Physical Access to Data
Digital data access may be part of the role description and responsibilities, but what about the physical access to your data? Organizations that have an internal data server, for example, need to ensure that only individuals who are specifically authorized to work on the server can access the area. Yet, this could be a number of people, ranging from tech engineers to maintenance system experts and even specialist cleaning crews.
So, there needs to be multiple steps that should be taken to protect the physical access to your data:
- Careful vetting, both at external recruitment and in-house promotion levels
- Introducing physical barriers, such as commercial door access control systems
- Ensuring the control system can be adjusted as roles and requirements evolve
Physical access may also require a set of specific regulations regarding the types of devices one can bring into the area, and also what is allowed outside of the area. For example, laptops or mobile devices may not be brought into the secured area without formal authorization.
This may sound like overkill, but when servers can be accessed physically, they become a lot more vulnerable to human errors, such as someone accidentally deleting data from the main server or adding corrupted data to it without prior checks, which could have dramatic consequences
#4. Phishing Training
Phishing training is necessary for every business. But what does modern phishing look like:
- An email from a company addresses requesting access or data
- An email from an apparently trustworthy address sharing files or links
Nowadays, hackers are getting more creative when they target businesses. As a result, their emails tend to feel every bit as authentic as a real one. The typical strategy of pausing to question and check the validity of the email is not always realistic in the workplace environment where everything needs to go fast.
As such, in-house training needs to be very clear on what type of communication employees are likely to receive from which email addresses. This can avoid confusion. For instance, if there is an internal email address designed to share data reports with the team, if employees receive an email from a very similar address but with no reports, this should already raise sufficient suspicion to prevent accidental leaks.
Similarly, there needs to be clear paths to request IT support, files, or contact data, so that employees on the receiving end of their phishing messages know to avoid them. Say, someone who loses the password to a specific tool should reach out to the IT team via a ticket, rather than emailing co-workers.
#5. AI LLMs Restrictions
AI may save you a lot of time when it comes to producing solutions and analyzing large volumes of data, but it’s important to appreciate that sharing data with AI is not safe.
Employees are using dozens of AI tools, and the last thing companies need is for sensitive data to be pasted into ChatGPT, Gemini, and similar tools. This can contribute to enhanced data leak risks and cause compliance issues.
Therefore, it’s essential for businesses to provide safe options and block copy/paste for sensitive applications. This also requires in-depth training, both on the business side to understand why people need to use these tools (as unrealistic workload or deadlines may be in cause) and how to support people in their performance without putting data at risk.
In conclusion, data breaches remain a significant risk in 2026. Human errors occur more often because of ineffective data strategies than because of malevolent behavior.
