NewsJuly 16, 2018 @ 7:10 AM

Human Error Strains Security Teams: How Can Companies Nip Employee Negligence in the Bud?

Employee negligence continues to be a top information security risk for key figures in the enterprise, especially IT security professionals who rely on internal threat reports to do their jobs. This risk can take the form of genuine human error, a lack of security awareness or even deliberate attempts to steal corporate data for personal gain.

According to the 2018 State of the Industry report from document destruction company Shred-it, 96 percent of Americans said they view employee negligence as at least a minor cause of data breaches against U.S. companies. Some were even more convinced: Eighty-four percent of C-suites see it as one of their biggest information security risks — and 51 percent of small-business owners agree.

Reflecting this viewpoint, the majority of U.S. businesses revealed that they’re struggling to keep pace with modern workplace trends. In particular, 86 percent of C-suites, and 60 percent of small-business owners said they believe the risk of a data breach is higher when employees work remotely.

How can companies increase cyber awareness among nontechnical employees and better incentivize them to report potential security issues before they become full-blown incidents?

What Are the Consequences of Employee Negligence?

According to the Shred-it report, two main factors are driving up the level of concern over instances of workforce negligence, which includes accessing company systems over remote and unsecured networks or improperly disposing of sensitive data.

Employee carelessness is the first factor and has historically been one of the primary causes of data breaches. The IBM X-Force team uncovered as much in its 2018 Threat Intelligence Index, noting that negligent actions were behind two-thirds of total records compromised in 2017.

Employee negligence is the second factor and makes the job of IT security professionals more difficult. To adequately defend organizations against cyberthreats, security teams need employees to report any issues they come across. However, organizations don’t always encourage them to do so. According to a 2016 Ponemon report, 67 percent of respondents said their organizations don’t provide incentives for employees to report security issues proactively.

This lack of engagement can cause small issues to evolve into major security incidents. For example, 79 percent of respondents to a Keeper Security survey that suffered ransomware attacks said the threat entered their systems through phishing emails.

Employees can help identify phishing attacks — but without the knowledge or incentive to do so, many either fall for the scam or simply keep it to themselves. As a result, security teams must devote their resources and respond to these issues that could have been prevented in the first place.

How Companies Can Minimize the Effects of Human Error

Organizations can counter negligence among their workforce by integrating data protection measures, such as resiliency backup and other disaster recovery tools, into their business practices.

Companies should also continuously evaluate the effectiveness of their security strategies and ensure that internal protocols are keeping pace with the increasingly sophisticated threat landscape. These policies should include ongoing security awareness training for the entire company and provide employees with incentives to report potential threats.

Share this Article:
David Bisson

Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.