It’s now recognized that people are the root cause of most data breaches, as many as 90% of all breaches, either inadvertently or maliciously putting data at risk. The expansion of the attack surface through mobility, the cloud and even the Internet of Things has just increased the number of ways that “people” can put data at risk. These breaches are, in many ways, preventable, but the first step in stemming the breaches in understanding why they happen.
People have always been the weakest link in data security, but it’s only in recent years with the expansion of the attack surface that the true scope of the situation has become apparent. While 10 years ago these mistakes may have been overlooked, the legal requirements to report data breaches and the increased number of data breaches has put the spotlight on the need to stop these patterns of behaviour from repeating.
Bruce Schneier recently wrote an article exploring how the “normalization of deviance” can help us understand human behaviour, for it is true that people willfully ignore rules in all aspects of life. People become accustomed to deviant behaviour (that which goes against rules or procedures) to the extent that they no longer consider it to be deviant. The process is gradual, which leads to more flagrant examples of the deviant behaviour becoming normalized. As referenced by Bruce Schneier, John Banja identified seven factors that contribute to this normalization of deviance:
- The rules are stupid and/or inefficient
- Knowledge is imperfect and uneven
- The work itself, and new technology, can disrupt work behaviours and rule compliance
- I’m breaking the rule for the good of my client / patient / project
- The rules don’t apply to me / you can trust me
- Workers are afraid to speak up
- Leadership withholding or diluting findings on system problems
We see the normalization of deviance often when it comes to specific behaviours (such as emailing files, using public WiFi, using weak passwords), but it also becomes systemic. For example, although mobile devices have empowered employees to be more productive with less reliance on IT, downloading their own apps or troubleshooting their own problems, this rarely applies to security. Data security, in a network world, was purely the responsibility of IT. As we’ve gradually transitioned to a mobile world, this belief that IT is responsible for data security has remained unchanged.
The normalization of deviance becomes a part of organizational culture, which is very difficult to disrupt or even recognize. Given the gradual process, it can become difficult to step back and recognize a problem. When a problem is as large as taking personal responsibility for data security, it’s even less straightforward to address it. As the normalization of deviance suggests, people do not recognize the risks they are taking or the harm their actions are doing, and worse: they don’t believe it’s their problem.
In the coming weeks, we’ll be exploring more about the ‘Insider Risk’ and how people maliciously, inadvertently or unsuspectingly are putting data at risk. As other security experts such as Bruch Schneier will note, there is no easy fix for the Insider Risk. Part of the solution comes with recognizing weak areas and ditching optimism about “little” mistakes, shifting culture through ongoing education and awareness, and part of the solution comes through technological monitoring to ensure that mistakes are caught and remediated quickly.