Employee carelessness or malevolence is often the root cause of many data breaches, according to a new report – “The Human Factor in Data Protection” – from the Ponemon Institute and sponsored by Trend Micro Inc. (TYO: 4704;TSE: 4704), a global cloud security leader. Over 78 percent of respondents blame employee behaviors, both intentional and accidental, for at least one data breach within their organizations over the past two years.
The top three root causes of these data breaches are:
Loss of a laptop or other mobile data-bearing devices (35 percent),
Third party mishaps or flubs1 (32 percent)
System glitches (29 percent).
While human error may be viewed as the root cause, nearly 70 percent of the respondents agreed or strongly agreed that their organization’s current security activities are not enough to stop a targeted attack or hacker, according to the Study authors who recently surveyed 709 experienced IT and IT security practitioners based in the United States.
The Report reveals that even when employees make unintentional mistakes, most of these breaches are only discovered accidentally, according to 56 percent of respondents. Only 19 percent of respondents say that employees self-reported the data breach, making it difficult to promptly resolve the breach. Thirty-seven percent say that an audit or assessment revealed the incident and 36 percent say that data protection technologies revealed the breach.
Employees of small and medium sized businesses (SMBs) reported to be more likely to engage in “risky” behavior: 58 percent of them will or have already opened attachments or web-links in spam, versus 39 percent from enterprises; 77 percent will or have already left their computer unattended, as did 62 percent from their enterprise counterparts. The survey also found that more than half (55 percent) of SMB employees were likely to visit off-limit websites, compared to 43 percent of enterprise employees.
“Our conclusion is that most threats posed by employees and those within companies are becoming more prevalent because of the mobility of the workforce, proliferation of mobile data-bearing devices, consumerization of IT, and the use of social media in the workplace. We saw that most surveyed believe their companies are not doing enough to ensure a more effective security infrastructure against hackers and targeted attacks. Combined with data-centric security technology, education and awareness among employees are essential,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute.
“We help companies and their employees approach security with a new mindset, putting the focus on “data-centric” security that integrates threat and data protection capabilities. This approach means that companies know who is accessing what data, when, where and how,” says Ian Gordon, Trend Micro Canada’s Director of Marketing and Channel.
According to the findings of the study, the following are the top 10 “risky” practices employees routinely engage in:
Connecting computers to the Internet through an unsecured wireless network.
Not deleting information on their computer when no longer necessary.
Sharing passwords with others.
Reusing the same password and username on different websites.
Using generic USB drives not encrypted or safeguarded by other means.
Leaving computers unattended when outside the workplace.
Losing a USB drive and not immediately notifying their IT department
Working on a laptop when traveling and not using a privacy screen.
Carrying unnecessary sensitive information on a laptop when traveling.
Using personally owned mobile devices that connect to their organization’s network.