Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Most Companies Blame Employees for Data Breaches, Says Survey

The human element. It’s something information security professionals lose sleep over and just can’t seem to get under control. But the threat from smartphone carrying, click-happy, and “helpful” (think social engineering) employees to an organization’s security posture is not new to any CISO or IT Security professional.

The human element. It’s something information security professionals lose sleep over and just can’t seem to get under control. But the threat from smartphone carrying, click-happy, and “helpful” (think social engineering) employees to an organization’s security posture is not new to any CISO or IT Security professional.

But new research from Trend Micro, conducted by Ponemon Institute, shows just how much blame IT departments are putting on employees for their security mishaps. According to the report, “The Human Factor in Data Protection“, over 78 percent of respondents place blame on employee behavior, both intentional and accidental, for at least one data breach within their organizations over the past two years.

Breaches as Result of Employee BehviorWhile the findings of the survey are not surprising, it is interesting to see where IT folks place the blame, and the statistics behind where they are pointing their fingers.

According to the study, the top three root causes of these breaches are employees’ loss of a laptop or other mobile data-bearing devices (35 percent), third party mishaps or “flubs” (32 percent) and system glitches (29 percent).

But are these incidents all the fault of employees or are they left helpless? Interestingly, almost 70 percent of those surveyed said they either agree or strongly agree that their organization’s current security activities are not enough to stop a targeted attack or hacker.

A recent study from McAfee and Xerox showed that more than half of workers don’t always follow or are unaware of their company’s security policies. So who’s to blame?

The Trend Micro report reveals that even when employees make unintentional mistakes, most of these breaches are only discovered accidentally, according to 56 percent of respondents.

The study, which surveyed 709 IT and IT security practitioners in the United States, showed that only 19 percent of respondents said that employees self-reported the data breach. Thirty-seven percent say that an audit or assessment revealed the incident and 36 percent say that data protection technologies revealed the breach.

It was also noted that SMBs are at a greater risk of their employees mishandling data than enterprises. Through a separate analysis of the overall respondents from organizations with less than 100 employees, SMBs have a slightly higher rate of data breaches – 81 percent versus 78 percent – due to employees mishandling of sensitive data. This could be a result of more stringent security policies in place at larger organizations and better security technology being deployed.

SMB employees tend to be more risky, the results shows, with 58 percent of them admitting to opened attachments or web-links in spam, versus 39 percent from enterprises.

The majority (65 percent) of smaller organizations say that, for the most part, their organizations’ sensitive or confidential business information is not encrypted or protected by data loss protection technologies.

Additionally, employees at SMBs are less likely spend time on data protection or have the proper technologies in place to thwart data loss: 62 percent of organizations believe they are not protected. Of these respondents, 65 percent say it is because technologies are too expensive and 54 percent say they are too complex.

Forty-five percent of respondents were at the manager level or higher in their organization, with more than 10 years of relevant experience on average. Seventy-eight percent are in organizations with a headcount between 100 and 5,000.

Related: Employees Clueless on, or Disregard IT Security Policy

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee.