Published on December 10th, 2019 | by Sunit Nandi0
Most Data Breaches Are Caused by Employees Just Not Caring Enough
Data is “the new oil”, and the recent surge in data protection regulations have given businesses even more incentive to properly secure it. Under regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), a business can be subject to substantial fines and other penalties for failing to protect the personal information entrusted to them by their customers.
Simply based off of news coverage, it is apparent that data breaches are a growing threat to data security in the modern world. Hardly a day goes by without a new major data breach making headlines, and smaller breaches are occurring on a daily basis. In 2018, 5 billion records were exposed by data breaches, and that number is likely to be even larger in 2019. As organizations collect larger and larger amounts of sensitive and valuable information, hackers are increasingly incentivized to steal this information for use in other attacks or resale on the black market.
Decreasing the number of data breaches requires securing sensitive data throughout every stage of its life cycle within an organization. Accomplishing this throughout the enterprise requires understanding how many data breaches occur and how best to prevent them. While many data breaches are caused by malicious outsiders exploiting vulnerabilities in an organization’s defenses, this is not the case for all data breaches.
A significant portion of data breaches are caused by employees of the organization. In many cases, these employees are not malicious and deliberately taking action to harm the organization. Instead, these breaches are caused by employee negligence, which can be a much more difficult threat for organizations to protect themselves against. Identifying the source of breaches caused by employee negligence and developing ways to prevent these situations is essential to reducing an organization’s probability of data breaches.
Insiders are Often to Blame
The common view of a cyberattack or a data breach is that a hacker has identified some software vulnerability in the organization and has exploited it. This gives the attacker the ability to access the organization’s network, identify potentially valuable data, and exfiltrate it from the network.
However, in many data breaches, this isn’t actually how things work. In many cases, it’s an attack that starts from within. By taking some action that leaves data exposed to a potential attacker, an employee can make a data breach a crime of opportunity rather than the result of hard work on the part of the attacker.
The popular conception of a data breach involves digital access to sensitive information; however, access to printed documents can be just as damaging. 65% of managers believe that an employee or contractor has left a printed document lying around that could lead to a data breach. 71% report that they have personally found confidential documents left in a shared printer.
Another common source of data breaches caused by negligence is poor email hygiene. Choosing the wrong recipient for an email or failing to check the recipients list as an email chain accrues sensitive information can also be the cause of a data breach. 77% of respondents admit to having sent a sensitive email to the wrong person, and 88% have received one not intended for them.
Failing to properly dispose of sensitive paper documents and poor email hygiene are only two ways that employees can cause data breaches through negligence. Cloud deployments set to “public” are a common source of data leaks in many organizations, and lost, stolen, or discarded devices with sensitive information and no encryption can also leak data. A lack of malice does not mean that an employee is not a threat to an organization’s data security.
Protecting Sensitive Data from Negligence
Securing sensitive data against employee negligence is more difficult than handling most threats. In most cases, the threat comes from outside the organization, and denying them access to the data entirely is an acceptable solution.
Employees, on the other hand, require access to the data in question in order to perform their roles at the organization. Ensuring the safety of an organization’s sensitive data requires training employees to know how to properly assess the sensitivity of data and how to properly protect and dispose of it.
However, no matter how good this training it, mistakes will be made, and organizations need to be able to protect themselves from a data breach in these situations as well. Accomplishing this requires knowing where all potentially sensitive data is stored, monitoring access to the data, and performing behavioral analysis to identify anomalies that could indicate a possible problem.
A good data security solution can improve an organization’s ability to protect its sensitive data across the board. Automated data discovery can ensure that an organization knows where sensitive data is located on the network and ensure that it is properly protected. Monitoring access to these data stores ensures that users are only accessing data for which they have authorization. Behavioral analytics can help to identify both when a malicious user is trying to access data using an authorized account and when a legitimate user is engaged in activities that are more likely to result in data loss through negligence.
By protecting data in its digital form and providing an organization with the information necessary to place additional safeguards on printed media, data security solutions can dramatically decrease an organization’s exposure to data breaches caused by employee negligence.