The most common cause of security breaches was employees' loss of a laptop or other mobile data-bearing devices.
Employee negligence or
maliciousness is the root cause of many data breaches, according to "The
Human Factor in Data Protection," a report released by Ponemon Institute
and sponsored by cloud security specialist Trend Micro. More than 78 percent of
respondents blame employee behaviors, both intentional and accidental, for at
least one data breach within their organizations over the past two years.
Small and midsize businesses
(SMBs) are at a greater risk of their employees mishandling data than
enterprises, according to a separate analysis of the overall respondents from
organizations with less than 100 employees.
Overall, SMBs have a
slightly higher rate of data breaches81 percent versus 78 percentdue to
employees mishandling of sensitive data. SMB employees were reported to be more
likely to engage in "risky" behavior. In fact, 58 percent of them
will or have already opened attachments or Web links in spam, versus 39 percent
from enterprises; 77 percent will or have already left their computer unattended,
compared with 62 percent from their enterprise counterparts.
The survey also found that
more than half (55 percent) of SMB employees were likely to visit off-limit
Websites, compared with 43 percent of enterprise employees.
The top three root causes of
these breaches are employees' loss of a laptop or other mobile data-bearing
devices (35 percent), third-party mishaps or flubs (32 percent) (defined by
Ponemon as when a third-party vendor has another company's data that is stolen
or lost by the vendor, not the original entity, and the cause of data loss is
unknown) and system glitches (29 percent).
Alternatively, nearly 70 percent of those surveyed either agree or strongly
agree that their organization's current security activities are not enough to
stop a targeted attack or hacker, according to the study, which is based on a
poll of 709 IT and IT security practitioners in the United States.
The report found that even
when employees make unintentional mistakes, most of these breaches are only
discovered accidentally, according to 56 percent of respondents. Only 19
percent of respondents say that employees self-reported the data breach, making
it difficult to promptly resolve it. Thirty-seven percent say that an audit or
assessment revealed the incident, and 36 percent say that data protection
technologies revealed the breach.
The majority (65 percent) of
smaller organizations say that, in general, their organizations' sensitive or
confidential business information is not encrypted or safeguarded by data loss
protection technologies. Further, employees are less likely in smaller
organizations to spend time on data protection or have the proper technologies
in place to thwart data loss: 62 percent of organizations believe they are not
protected. Of these respondents, 65 percent say it is because technologies are
too expensive and 54 percent say they are too complex.
"Our conclusion is that
most threats posed by employees and those within companies are becoming more
prevalent because of the mobility of the workforce, proliferation of mobile
data-bearing devices, consumerization of IT and the use of social media in the
workplace," said Dr. Larry Ponemon, chairman and founder of Ponemon
Institute. "We saw that most surveyed believe their companies are not
doing enough to ensure a more effective security infrastructure against hackers
and targeted attacks. Combined with data-centric security technology, education
and awareness among employees are essential."