Users, hackers are neck and neck in data breach damage


If you’re like the vast majority of companies that worry about a hacker stealing sensitive data, here’s a wake-up call: Hackers are only slightly more likely to steal identities than your own people are to accidentally put them out in the public for the whole world to see.

That’s according to Symantec’s Internet Security Threat Report. We already discussed the ISTR’s findings on email threats, but there’s also good information on the causes of data breaches – and how some companies go about preventing them the wrong way.

Half of incidents unintentional

When looking at the statistics for 2015, Symantec found that 52% of personal identities exposed online were the result of attacks.

On the other hand, 48% were the result of a company accidentally putting the data out in the public. In other words, these were insider incidents. This was a sizable jump from the previous year when only 22% of exposed records were accidental disclosures.

Other interesting findings:

  • Breakdown by incidents. While accidental exposure put a large number of records at risk, the incidents weren’t as common as hacking. Attacks made up 46% of total breach incidents.
  • Specific targets. Lost and stolen devices made up 21% of data breach incidents, but less than 1% of identities exposed. Likewise, insider theft accounted for 10% of incidents and only accounted for less than 1% of identities exposed. That said, these incidents are ideal for stealing specific information rather than massive amounts of data, so the exposure may be more damaging than the records indicate.
  • What’s been lost? The five most common types of data stolen were
    1. names (78%)
    2. home addresses (44%)
    3. dates of birth (41%)
    4. government IDs, such as Social Security numbers (38%), and
    5. medical records (36%).

Protecting against all breaches

It could very well be that the rise in accidental exposures was a one-time incident. It’s possible that in 2016, we’ll return to attacks being far and away the most common cause of identity or personal information exposure.

But let this be a lesson: 2015 has shown that data can and will be easily lost by human error. And companies that assume the only risks are coming from the outside will suffer from security decisions that neglect to account for that human element.

Make sure that your training covers how to safely transfer and store data. Doing so won’t prevent every incident and may not guard against outside attacks, but it could be a crucial first step toward protecting your data from internal leaks.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy