The human element. It’s something information security professionals lose sleep over and just can’t seem to get under control. But the threat from smartphone carrying, click-happy, and “helpful” (think social engineering) employees to an organization’s security posture is not new to any CISO or IT Security professional.
But new research from Trend Micro, conducted by Ponemon Institute, shows just how much blame IT departments are putting on employees for their security mishaps. According to the report, “The Human Factor in Data Protection“, over 78 percent of respondents place blame on employee behavior, both intentional and accidental, for at least one data breach within their organizations over the past two years.
While the findings of the survey are not surprising, it is interesting to see where IT folks place the blame, and the statistics behind where they are pointing their fingers.
According to the study, the top three root causes of these breaches are employees’ loss of a laptop or other mobile data-bearing devices (35 percent), third party mishaps or “flubs” (32 percent) and system glitches (29 percent).
But are these incidents all the fault of employees or are they left helpless? Interestingly, almost 70 percent of those surveyed said they either agree or strongly agree that their organization’s current security activities are not enough to stop a targeted attack or hacker.
A recent study from McAfee and Xerox showed that more than half of workers don’t always follow or are unaware of their company’s security policies. So who’s to blame?
The Trend Micro report reveals that even when employees make unintentional mistakes, most of these breaches are only discovered accidentally, according to 56 percent of respondents.
The study, which surveyed 709 IT and IT security practitioners in the United States, showed that only 19 percent of respondents said that employees self-reported the data breach. Thirty-seven percent say that an audit or assessment revealed the incident and 36 percent say that data protection technologies revealed the breach.
It was also noted that SMBs are at a greater risk of their employees mishandling data than enterprises. Through a separate analysis of the overall respondents from organizations with less than 100 employees, SMBs have a slightly higher rate of data breaches – 81 percent versus 78 percent – due to employees mishandling of sensitive data. This could be a result of more stringent security policies in place at larger organizations and better security technology being deployed.
SMB employees tend to be more risky, the results shows, with 58 percent of them admitting to opened attachments or web-links in spam, versus 39 percent from enterprises.
The majority (65 percent) of smaller organizations say that, for the most part, their organizations’ sensitive or confidential business information is not encrypted or protected by data loss protection technologies.
Additionally, employees at SMBs are less likely spend time on data protection or have the proper technologies in place to thwart data loss: 62 percent of organizations believe they are not protected. Of these respondents, 65 percent say it is because technologies are too expensive and 54 percent say they are too complex.
Forty-five percent of respondents were at the manager level or higher in their organization, with more than 10 years of relevant experience on average. Seventy-eight percent are in organizations with a headcount between 100 and 5,000.
Related: Employees Clueless on, or Disregard IT Security Policy
