The idea that ‘people’ are the root cause of data breaches is starting to hit home with executives. According to the Verizon DBIR, 90% of all security incidents back to ‘people,’ whether mistakes, phishing, bad behaviour, or lost stuff. ‘People’ can leave organizations exposed to cyberattacks, by using bad passwords hygiene, losing a device, succumbing to a phishing scam; the end result that gets publicized is a cyberattack, but addressing data security requires looking to the root cause: ‘people.’
A survey from First Advantage recently examined the disparity between the awareness of insider threats and which security controls are being put in place to minimize those threats. According to the survey, which polled 337 professionals in HR, risk management and C-level executives, 60% of respondents believe background screening is the most important security control to prevent data breaches, followed by anti-malware (53%) and physical security and physical access controls (39%).
Given the operational focus of First Advantage, this belief in the importance of screening is obvious. While we agree screening has an important part to play, we believe the majority of data breaches caused by people are non-malicious in nature, and therefore difficult to root out through screening alone. Mistakes cannot be predicted by screening. According to our own study, many employees put data at risk in small, but ultimately significant ways, such as modifying default settings, accessing personal email, online banking / shopping, social media, public WiFi, file sharing, etc).
Protecting corporate data from employees, either malicious or inadvertent, is about more than just pre-screening or regularly screening for rogue employee behaviour. This falls in the same line of thought that protecting corporate data cannot rely on a relationship of ‘trust,’ since mistakes can (and will) happen. As with all aspects of data security, preventing data breaches from the actions and mistakes of employees, contractors and vendors requires ongoing awareness training, actionable policies and layers of technology to prevent breaches, to provide alerts of suspicious activity and to lock down or otherwise protect data if it is put at risk.
We share some of our thoughts on employees and data security in Defending Corporate Data in Spite of Employees as well as our whitepaper, ‘The Enemy Within – Insiders are still the weakest link in your data security chain.’