Employee negligence or maliciousness was the cause of at least one data breach at 78% of companies within the past two years, according to a recent Ponemon Institute study.
When asked about the root causes of all breaches during that time, the top answers included:
- An employee’s loss of a mobile device (cited by 35% of IT pros)
- Mistakes made by a third-party organizations (32%)
- Employees’ mishandling of data (27%), and
- Malicious employees or other insiders (22%).
In contrast, just 8% listed external cyberattacks as a primary cause, according to the survey of 709 IT pros.
Users are responsible for more data breaches now, Ponemon says, because mobile technologies and social networking have given employees more chances to expose data, either accidentally or intentionally. Also, as more data is put in the hands of cloud providers and other third-party businesses partners, insiders at those organizations have more chances to expose sensitive data.
Making matters worse, even though many breaches are caused by user activities, those users fail to report incidents, making it difficult for IT to detect and deal with breaches. Just 19% of survey respondents said employees self-reported breaches. Most of the incidents (56%) were discovered accidentally.
The number of data breaches caused by users isn’t likely to get lower any time soon, as the survey shows company employees continue to engage in a number of risky behaviors, despite IT’s best efforts.
According to the IT pros surveyed, these are the most common user behaviors that put their organization’s data at risk:
- Losing USB drives and not notifying anyone in the company (cited by 87% of IT pros)
- Failing to change passwords regularly (76%)
- Reusing the same password for multiple accounts (74%)
- Carrying unnecessary sensitive information while traveling (70%)
- Failing to shred paper documents containing sensitive information (68%)
- Connecting to the company network with a personal device (66%)
- Leaving a work computer unattended while outside the office (65%)
- Sharing passwords with other employees (63%)
- Carrying sensitive data on unencrypted, unsecured USB drives (62%)
- Using work computers to connect to unsecured wireless networks (59%)
What can IT do to put a stop to those risky behaviors? Ponemon recommends organizations take another look at their security policies and make sure they’re updated to reflect new technology trends. For example, many businesses may need to add a rule requiring users to notify IT immediately if a mobile device or storage drive is lost or stolen.
It’s also a good idea to regularly examine user privileges to make sure no one has access to more data than they need for their jobs.
And of course, IT policies should also come with training and education to teach users why they need to follow the rules. Read our earlier post for information on how to improve IT security training.