As the costs of cyber crime continue to rise, there are some steps both IT departments and users should be taking to better protect data.
Who’s to blame for IT security breaches? Most technology professionals would probably agree that their companies’ users deserve the brunt of the blame for ignoring policies and being careless when working with sensitive information.
That notion is backed up by a recent Forrester report which found that employees’ actions were to blame for 36% of all the breaches that have occurred in 2013 so far — making that the No. 1 cause of IT security incidents during that time.
That includes both intentional malicious actions, as well accidental negligence.
What are employees doing that leads to so many breaches? While users do a number of things that put company data at risk, they’re especially having trouble when it comes to working with mobile devices and cloud computing applications, according to a recent survey conducted by Norton.
These are the top IT security mistakes being made by the 13,000 users polled by the security vendor:
1. 27% have lost a mobile device or had it stolen
Many data breaches have been reported because of a lost or stolen mobile computing device. Hopefully, when that happens, the people who end up with those gadgets won’t try to get at all the sensitive information they contain. But that’s probably wishful thinking, according to a 2012 study conducted by Symantec.
The company intentionally “lost” 50 smartphones in five cities across North America and then monitored what happened when they were found. Here’s what the finders did:
- 83% tried to access corporate information, including documents with labels such as “HR Salaries” and “HR Cases”
- 60% tried to read emails or access social media accounts
- 57% tried to open a file called “Saved Passwords”
- 49% tried to run a decoy “Remote Admin” app that appeared to allow access to a remote computer or network, and
- 43% tried to use a mobile banking app.
2. Nearly 50% don’t use passwords and other basic mobile security precautions
While vendors are developing some advanced security and mobile device management (MDM) applications for smartphones and tablets, close to half of the users surveyed admitted they don’t use even the most basic security tools that are available on their devices.
That includes password protection, mobile antivirus software and regular backups of important files.
Similar findings were found in a recent survey conducted by Soluto, in which 37% of iPhone users admitted they don’t password-protect their phones.
3. Many aren’t careful with cloud-based file storage
One of the top fears of IT departments is that users will start uploading all kinds of sensitive documents to unsecured, consumer-grade cloud storage services.
And there’s good reason to be concerned, as 24% of survey respondents say they put personal and work-related information in the same accounts.
Users are more likely to do so when they use mobile devices to create, edit or view those documents. While 78% of survey respondents said they avoid storing sensitive files online while working on a PC, only 48% said the same about when they’re using a smartphone.
4. Almost 40% don’t think twice when using public WiFi
Public wireless networks, such as those found in coffee shops, airports and other places, create a number a security risks that could result in unauthorized people stealing information from users.
However, 39% of users say they don’t take additional steps to protect data when using those public WiFi networks.
IT’s own security mistakes
While users should certainly be doing more to protect their employers’ information, IT departments are also missing some key security steps, according to a recent Ponemon Institute study of 60 organizations that had been hit by cyber attacks in the past year.
Those 60 organizations each lost an average of $11.6 million due to those attacks. The report identified several steps companies can take to reduce the costs of cyber crime — but many of the companies in the study are failing to take those actions:
1. Only 38% conduct substantial security training and awareness activities
Often, users make the mistakes they do because they don’t know any better, but as Ponemon’s results show, most companies should be doing more to change that.
Similar results were found in the Forrester survey, in which only 42% of employees in the U.S. and Europe said they have received security training on how to keep data safe while they work. In addition, just 57% claimed to be aware of their employer’s IT security policies.
2. Nearly half have no security leadership
In a Ponemon study from last year, the organization found that one of the top ways to cut the costs of data breaches is to appoint someone in IT to be the head of information security. Companies studied that employed a chief information security officer (CISO), or someone with an equivalent title, spent on average 35% less after a data breach compared to those that did not.
Centralizing the management of security, including how the company responds after a breach, is one way to help make sure no parts of the process fall through the cracks and create bigger expenses later.
However, among the companies looked at this year, just 55% have formed a senior-level security council, and only 52% have appointed a high-level security leader.
3. Most need more security talent
In addition to leadership, companies also need the skills and experience to implement top-notch IT security programs. However, just 40% of the companies studied said they have enough expert security personnel on staff.
While security experts can be hard to find right now, there are some things organizations can do to attract and retain talented security pros.