Frequently we see headlines about high profile data breaches where cyber criminals break into corporate computer systems and steal customer lists, credit card numbers or other sensitive information. These high profile breaches are certainly clear and present dangers to both the companies charged with protecting this data and the consumers whose private data has been exposed. However, breaches due to hacking have a way of overshadowing equally important and many times lower profile breaches that are attributed to human error.
According to a recent Ponemon Institute survey report, “The Human Factor in Data Protection,” employees are the root cause of many data breaches due to their negligence or malicious behavior. 78% of the survey respondents indicate that employee behaviors, both intentional and accidental, were cited as leading to at least one data breach within their organizations over the past two years.
Why is the increase in risk posed by employees becoming so prevalent? One word comes to mind: mobility. There’s little doubt that the proliferation of mobile devices, BYOD, the consumerization of IT, and the general mobility of today’s workforce increases risk. One of the leading problems is employees losing thumb drives, laptops and other mobile devices.
Data breaches also stem from workers accidently mishandling data at rest and in motion, and malicious employees or other insiders who intentionally steal or otherwise damage company data. Despite growing concerns about cyber crime, only 8% of the survey respondents report an external attack as the primary root cause of a data breach experienced by their organizations.
The following 10 activities are risky practices employees routinely engage in, according to the Ponemon study:
- Connecting computers to the Internet through an insecure wireless network.
- Not deleting information on their computer when it’s no longer necessary.
- Sharing passwords with others.
- Reusing the same username and password on different websites.
- Using generic USB drives that are not encrypted or safeguarded by other means.
- Leaving computers unattended when outside the workplace.
- Losing a USB drive possibly containing confidential data and not immediately notifying their organization.
- Working on a laptop when traveling and not using a privacy screen.
- Carrying unnecessary sensitive information on a laptop when traveling.
- Using personally owned mobile devices that connect to their organization’s network.
Human nature being what it is, it’s not surprising that only 19% of respondents say that employees self-report a data breach they may have caused (including loss of a device such as a thumb drive). This makes it difficult to promptly mitigate the breach. Moreover, 37% of those surveyed indicate that either an audit or assessment revealed the incident; 36% say that data protection technologies revealed the breach. More often than not, however, a breach is discovered quite by accident by an outside third party.
While layered security approaches and technologies are important in data protection/risk mitigation, it is critical for organizations to reduce the risk of employee negligence or maliciousness through policies, training, monitoring and enforcement.
Human factor risk, from both internal and external sources, poses a very clear threat to an organization’s sensitive and confidential information. The risk of data breach, as outlined in this study, is especially great due to employees’ loss of a laptop or other mobile data-bearing devices. Given the potential for a costly data breach and loss of reputation due to the exposure of confidential information, it is imperative that companies expand the focus of their data security initiatives to ensure that employees and other insiders understand the importance of data protection.
The Ponemon report recommends that organizations take the following steps:
- Create awareness among employees and other insiders about the need to spend more time and effort on data protection activities.
- Ensure data protection policies address areas where an organization is most vulnerable to a data breach.
- Investigate governance and technology solutions that are both efficient and cost effective.
- Make sure those who are given privileged user status are knowledgeable about the risks.
- Require immediate notification if a mobile device containing sensitive or confidential information is lost or stolen.
- Create policies for the use of social media in the workplace.
Hacking attacks may make the headlines, but studies show that organizations are even more at risk from careless and malicious insiders