Whoops! Human-Caused Risks

The most destructive human-caused risk to any organization is war, with civil unrest and rioting coming in as close seconds. Luckily, the most common human-caused threats are less dramatic, but in some cases, they can also cause extensive damage. Apathy, carelessness, forgetfulness, inattention, and ignorance are such widespread concerns, that it’s safe to assume that every organization has suffered because of them.

By Guy Robertson

Guy Robertson is a senior planner at TMC and an instructor at the Justice Institute of BC and Langara College. He has written five books and numer- ous articles on corporate security and disaster planning, and offered workshops and lectures at conferences across North America and in the UK.

Humans and Tech

“One of the more challenging aspects of dealing with customers,” said a retired salesperson from a large computer manufacturer, “is to convince people that one of the biggest risks to any IT system is human carelessness. People delete enormous amounts of data accidentally. They trip over cables and disable entire departments. They leave their laptops and other portable equipment on buses, trains and planes. They leave the server room unlocked. Many of us have made these mistakes.”

The Foundation of Risks

Apathy: “I really don’t feel like reviewing this data backup procedure. Boring! I’ll do it next week, maybe, if I find the time.”

Carelessness and Clumsiness: “Whoops! I dropped that big old binder of systems documentation that everyone makes a fuss about, and the binding broke. But I gathered up all of the loose pages, that is, except for a few in the middle. I don’t know where they went. Sorry.”

Forgetfulness: “I forgot to lock the server room, and now you’re missing the server with all of the marketing data.”

False Assumptions: “I thought that the executive assistants would bring in those boxes from the loading bay, and they didn’t. Those laptops got wet last night when it rained. There were some packages from other suppliers, too. They got really wet, but they should be fine when you dry them out, right?”

Inattention to Detail: “Did I back up all of today’s financial data? Perhaps not. Well, if you lose any, that’s a pity.”

Ignorance of Internal Policies: “Is it okay to show visitors around the vault? Some fellow asked to see our client files, so I showed him where they were in the vault, and he seemed very grateful. He was in there for quite a while. Are you missing any of those files? No, I haven’t had a chance to read the security manual, but I will, maybe next week.”

Inattention to Laws and External Regulations: “One of our older employees had a heart attack in the staff room last week, and none of us knew what to do. Somebody should have administered first aid, but nobody on staff had the training, so that unfortunate employee had to wait until an ambulance arrived, and that took quite a while. Our occupational health and safety code demands that we have at least one fully trained first aid attendant on site during business hours, so I guess one of us should take the training. When? Oh, sometime soon.”

The Result

Such statements seem outrageous, but they are reproduced here verbatim from sources in Canada, the US, and Britain. You must never underestimate the likelihood of human-caused risks, which most commonly result in lost data and other valuable assets, damage to fixtures and facilities, breaches of employee and client privacy, and loss of the organization’s reputation.

This article is reproduced from the September