In 2014, more than 1,500 data breaches led to over one billion data records compromised worldwide, a 49% increase in data breaches and a 78% increase in data records breached. There is no question that cybercrime is at the root of this increase, with cybercriminals now highly motivated by this very lucrative business of stealing and selling data. The problem is that focusing on the driver, “cybercrime,” gives an incorrect assumption of the root cause of data breaches. Employee mistakes and negligence are still often the root cause of data breaches.
According to a report by the the Privacy and Data Protection Team at the BakerHostetler law firm, which reviewed the 200 security incidents it advised on in 2014, employee negligence was responsible for 36% of data security incidents. A further 22% was caused by theft by outsiders (of the device itself), 16% theft by insiders, 16% malware, and 14% phishing attacks. If you add up all employee-related incidents, that’s 66% directly tied back to employee error and the other attacks attributed to malware and theft by outsiders likely linked in some way to employees as well. The Verizon DBIR released earlier this year connected most data breaches to “people”, suggesting that up to 90% of ALL security incidents are due to employee mistakes, phishing, bad behaviour, lost stuff, etc.
The BakerHostetler Data Security Incident Response Report offers insight into the importance of combining people, process and technology to better protect corporate data.
“While sophisticated software and monitoring/detection systems have become more widely adopted, our data suggests that many security breaches still result from low-tech missteps. Chief information security officers should combine general security awareness training with state-of-the-art data security architecture, to minimize vulnerabilities,” said Gerald Ferguson, co-leader of BakerHostetler’s Privacy and Data Protection Team.
“Our analysis shows that best-in-class cyber risk management starts with awareness that breaches cannot be prevented entirely, so emphasis is increasingly on defense-in-depth, segmentation, rapid detection and containment, coupled with ongoing effort to monitor threat intelligence and adapt to changing risks,” added BakerHostetler Privacy and Data Protection Team partner Craig Hoffman.
At Absolute, our advice is always to adopt a layered approach to data security, which mirrors the “defense-in-depth” approach suggested in the report. This holistic approach considers layered technology solutions, internal processes and user education as the foundations to protecting data. By reducing the impact of employee mistakes and negligence, and layering solutions for both protecting data and detecting incidents, your sensitive data can be protected by a defense-in-depth strategy. Read more about how to do this here and contact us to learn how we can help.