Where do the majority of security breaches originate? According to a recent study from law firm BakerHostetler, human error is the biggest threat to data protection. The report found that employee negligence was responsible for 36 percent of all security incidents, with outsider theft, insider theft and malware trailing at 22 percent, 16 percent and 16 percent, respectively. Phishing rounded out the top five at 14 percent. With many firms worried about the specter of malicious hackers and sophisticated malware, it’s sobering to realize the biggest risk lies within corporate walls. But how do companies tackle the “people problem?”
BakerHostetler isn’t the only one crying foul about human hubris. According to CMSWire, 22 percent of cybersecurity professionals surveyed at the recent RSA conference said that human error was the greatest threat to their organizations, while CompTIA noted that 52 percent of U.S. executives worry that people-based mistakes are a growing factor in security incidents.
So what’s wrong with human users? Part of the problem is lackluster training: Despite a greater awareness of security threats and more detailed threat training, many users simply aren’t taking the lessons to heart. As a result, the rate of human error is growing along with malware threats. In addition, many users face confusion when dealing with security protocols. For example, they may not be sure when data must be encrypted or what type of encryption to use.
What’s more, workers are often faced with striking a balance between project timelines and IT security. If project goals can be achieved by sidestepping certain security standards or using cloud-based workarounds, the potential for network compromise or accidental disclosure of personally identifiable information (PII) may be seen as an acceptable risk. In addition, the use of social media remains a sticking point for data protection; even well-trained users can still fall victim to legitimate-looking phishing scams, such as the recent CareerBuilder threat.
Helping the Humans
Fortunately, there are several ways that companies can help mitigate the threat posed by humans in their organization. First is dealing with self-detection. The BakerHostetler report found that security threats were self-detected in 64 percent of cases. Unfortunately, this detection took an average of 134 days, which is far too long if companies want to recover forensic evidence or design effective mitigation strategies. Automating threat detection where possible can help mitigate this issue.
EnterpriseAppsTech also recommends several other strategies that go beyond simply “better training” for employees and target one of the most common human vulnerabilities: mobile devices. First is the use of multifactor authentication, which requires users to provider one-time keys or tokens in addition to login details. This helps prevent malicious access even if employees have been careless on social sites or have opened risky emails. Companies must also take the initiative and limit employee access to secure file systems. Unless users have day-to-day needs for specific data, it should be off-limits. Even permitted access should always be tracked and recorded in the event a breach does occur.
Despite a growing number of sophisticated malware technologies and ambitious cybercriminal groups, employees remain the weakest link in corporate data protection. While it’s not possible to eliminate people from the IT cycle entirely, the right approach can help mitigate the impact of human nature.