May 20, 2015 By Douglas Bonderud 2 min read

Where do the majority of security breaches originate? According to a recent study from law firm BakerHostetler, human error is the biggest threat to data protection. The report found that employee negligence was responsible for 36 percent of all security incidents, with outsider theft, insider theft and malware trailing at 22 percent, 16 percent and 16 percent, respectively. Phishing rounded out the top five at 14 percent. With many firms worried about the specter of malicious hackers and sophisticated malware, it’s sobering to realize the biggest risk lies within corporate walls. But how do companies tackle the “people problem?”

Not Alone

BakerHostetler isn’t the only one crying foul about human hubris. According to CMSWire, 22 percent of cybersecurity professionals surveyed at the recent RSA conference said that human error was the greatest threat to their organizations, while CompTIA noted that 52 percent of U.S. executives worry that people-based mistakes are a growing factor in security incidents.

So what’s wrong with human users? Part of the problem is lackluster training: Despite a greater awareness of security threats and more detailed threat training, many users simply aren’t taking the lessons to heart. As a result, the rate of human error is growing along with malware threats. In addition, many users face confusion when dealing with security protocols. For example, they may not be sure when data must be encrypted or what type of encryption to use.

What’s more, workers are often faced with striking a balance between project timelines and IT security. If project goals can be achieved by sidestepping certain security standards or using cloud-based workarounds, the potential for network compromise or accidental disclosure of personally identifiable information (PII) may be seen as an acceptable risk. In addition, the use of social media remains a sticking point for data protection; even well-trained users can still fall victim to legitimate-looking phishing scams, such as the recent CareerBuilder threat.

Helping the Humans

Fortunately, there are several ways that companies can help mitigate the threat posed by humans in their organization. First is dealing with self-detection. The BakerHostetler report found that security threats were self-detected in 64 percent of cases. Unfortunately, this detection took an average of 134 days, which is far too long if companies want to recover forensic evidence or design effective mitigation strategies. Automating threat detection where possible can help mitigate this issue.

EnterpriseAppsTech also recommends several other strategies that go beyond simply “better training” for employees and target one of the most common human vulnerabilities: mobile devices. First is the use of multifactor authentication, which requires users to provider one-time keys or tokens in addition to login details. This helps prevent malicious access even if employees have been careless on social sites or have opened risky emails. Companies must also take the initiative and limit employee access to secure file systems. Unless users have day-to-day needs for specific data, it should be off-limits. Even permitted access should always be tracked and recorded in the event a breach does occur.

Despite a growing number of sophisticated malware technologies and ambitious cybercriminal groups, employees remain the weakest link in corporate data protection. While it’s not possible to eliminate people from the IT cycle entirely, the right approach can help mitigate the impact of human nature.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today