Where do the majority of security breaches originate? According to a recent study from law firm BakerHostetler, human error is the biggest threat to data protection. The report found that employee negligence was responsible for 36 percent of all security incidents, with outsider theft, insider theft and malware trailing at 22 percent, 16 percent and 16 percent, respectively. Phishing rounded out the top five at 14 percent. With many firms worried about the specter of malicious hackers and sophisticated malware, it’s sobering to realize the biggest risk lies within corporate walls. But how do companies tackle the “people problem?”

Not Alone

BakerHostetler isn’t the only one crying foul about human hubris. According to CMSWire, 22 percent of cybersecurity professionals surveyed at the recent RSA conference said that human error was the greatest threat to their organizations, while CompTIA noted that 52 percent of U.S. executives worry that people-based mistakes are a growing factor in security incidents.

So what’s wrong with human users? Part of the problem is lackluster training: Despite a greater awareness of security threats and more detailed threat training, many users simply aren’t taking the lessons to heart. As a result, the rate of human error is growing along with malware threats. In addition, many users face confusion when dealing with security protocols. For example, they may not be sure when data must be encrypted or what type of encryption to use.

What’s more, workers are often faced with striking a balance between project timelines and IT security. If project goals can be achieved by sidestepping certain security standards or using cloud-based workarounds, the potential for network compromise or accidental disclosure of personally identifiable information (PII) may be seen as an acceptable risk. In addition, the use of social media remains a sticking point for data protection; even well-trained users can still fall victim to legitimate-looking phishing scams, such as the recent CareerBuilder threat.

Helping the Humans

Fortunately, there are several ways that companies can help mitigate the threat posed by humans in their organization. First is dealing with self-detection. The BakerHostetler report found that security threats were self-detected in 64 percent of cases. Unfortunately, this detection took an average of 134 days, which is far too long if companies want to recover forensic evidence or design effective mitigation strategies. Automating threat detection where possible can help mitigate this issue.

EnterpriseAppsTech also recommends several other strategies that go beyond simply “better training” for employees and target one of the most common human vulnerabilities: mobile devices. First is the use of multifactor authentication, which requires users to provider one-time keys or tokens in addition to login details. This helps prevent malicious access even if employees have been careless on social sites or have opened risky emails. Companies must also take the initiative and limit employee access to secure file systems. Unless users have day-to-day needs for specific data, it should be off-limits. Even permitted access should always be tracked and recorded in the event a breach does occur.

Despite a growing number of sophisticated malware technologies and ambitious cybercriminal groups, employees remain the weakest link in corporate data protection. While it’s not possible to eliminate people from the IT cycle entirely, the right approach can help mitigate the impact of human nature.

More from

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…