Would you believe, employees are the biggest cause of data breaches

In Information Security ByTeam Acumin / 28th March 2012

It’ll be interesting to gauge, statistically of course, the difference between the level of investment that goes in developing strategies, performing regular audits of procedures and investing in security systems aimed at reducing data management breaches coming from outside sources, than those which originate from within.

In other words, are we in the risk management and information security industry more inclined to place a potentially unnecessary emphasis on snubbing out cyber attacks and viruses from non-native sources, than on mistakes made by ‘our own’?

The question may be construed as provocative, but its purpose is not to assail organisations – or for that matter staff – but to understand what the status quo is. We only ask because a new study done in collaboration with Symantec and the Ponemon Institute has revealed that in the US, “negligent insiders” have been found to be the top cause of data breaches. And some of these are deliberate, or malicious, to use a more accurate word.

So, the details: 39 per cent of organisations that took part in the study said data breaches are a result of carelessness; malicious or criminal attacks account for a third of all breaches; those who employ a chief information security officer (CISO) can reduce cost of data breach significantly; and, positively, fewer customers jump ship when such a breach occurs: they stay loyal.

With regards to employing a CISO as one of the key staff members of an organisation, we reckon this is something that will become a lot more prevalent in the foreseeable future. Like, for example, hiring someone to look after finances fulltime, which many businesses already do, CISOs will become part of the norm. This is the information age.

The report estimates that if an organisation appoints an expert and gives him responsibility for protecting data, the average cost of a data breach can be reduced by an astonishing $80 (approximately £50.7) per compromised record. Even hiring via contract – i.e. outsourcing – is highly cost-effective.

“One of the most interesting findings of the 2011 report was the correlation between an organisation having a CISO on its executive team and reduced costs of a data breach,” commented Dr Larry Ponemon, chairman and founder of the Ponemon Institute. “As organisations of all sizes battle an uptick in both internal and external threats, it makes sense that having the proper security leadership in place can help address these challenges.”

In the meantime, it is worthwhile up-skilling and educating those about the importance of best practice, highlighting shortcomings that can lead to data breaches and advising staff on how to be careful with the way they deal with data. After all, not every business has the luxury of being in a position to be able to afford hiring a specialist.