Cyber security breaches can come from a wide variety of sources: Hackers out to exploit vulnerabilities and make money or wreak havoc; nation states looking to gain an economic advantage; competitors aiming to steal intellectual property; and disgruntled employees plotting to cause damage at their companies—to name a few.
Oftentimes, however, the biggest reason for cyber security issues has nothing to do with evil intent; it’s simply a matter of human error or negligence.
The reasons for this type of risk can include employees’ lack of awareness of their personal responsibility for cyber security, a poor understanding of steps the organization is taking to address security threats, and a low “cyber IQ” that results in behaviors that increase risk to internal systems and processes, according to global advisory firm Willis Towers Watson.
A new survey of 1,000 U.S.-based senior and mid-level security professionals by Opinion Matters research group, commissioned by Egress, shows that 83% think employees have accidentally exposed customer or business sensitive data at their organization.
The research found that accidental data breaches are often compounded by an organizational failure to encrypt data prior to it being shared, both internally and externally. This puts organizations at risk of non-compliance with major data privacy regulations such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and the emerging California Privacy Act.
A majority of security professionals (83%) think employees have put customer personally identifiable information and business sensitive information at risk. The report said this is largely driven by the explosive growth in unstructured data (emails, documents, files, etc.), combined with the growing number of ways in which workers can communicate internally and externally.
The five most common technologies that have led to accidental data breaches by employees, according to the survey, are external email services (51%), corporate email (46%), file sharing services (40%), collaboration tools (38%), and messaging apps (35%).
Among the most common email accidents that lead to data breaches are accidental sharing/wrong email address, email forwarding of sensitive data, sharing attachments with hidden content, and forwarding data to personal email accounts.
The survey also found that a large majority of organizations fail to encrypt data before its shared both internally and externally. This compounds the accidental breach problem, the report said, ensuring that any mistake by an employee will result in data definitely being exposed. As a result, organizations are at risk of non-compliance with major data privacy regulations.
The research shows that 79% of organizations share sensitive business data internally without encryption, and 64% share sensitive business data externally without encryption.
Despite the failure to encrypt, data privacy regulations are driving changes in organizational approaches to security, the study said. When asked how new regulations changed how information is shared, respondents said they have implemented new security policies (59%), invested in new security technologies (54%), invested in regular employee training (52%), and restricted the use of external data sharing tools (44%).
With employee negligence and misunderstanding of cyber security responsibilities playing a key role in elevated risk, organizations need to take steps to reduce human error that can lead to major data breaches.
The National Cybersecurity Center (NCC), a non-profit organization that helps executives protect against cyber attacks, said employee education and applying common sense practices should be a priority at companies.
One of the approaches organizations can take in providing employee education and training is to emphasize the human element of the risk, said Jonathan Steenland, COO of the NCC. Quoted in a recent article on ZDNet, Steenland said effective training includes content that addresses a threat’s psychological, behavioral, and economic aspects, with practical advice on how to spot scams and protect data.
Another step is to link the risks to employees’ lives outside of work. Companies should take staff demographics into account and create training that focuses on employees’ lives and the risks they face, such as having a personal bank account hacked.
In addition, IT and security executives should work with the marketing department to make training stick with employees by coming up with easy-to-grasp training modules with snappy taglines and engaging graphics. These modules should grab workers’ attention and deliver a compelling call to action, Steenland said.
Also, it’s important to follow up with testing such as a white-hat phishing expeditions or unescorted visitors in the workplace to see how employees apply their knowledge about threats to spot scams and intruders, Greenland said. Followup testing can also provide a baseline that enables companies to measure the effectiveness of training programs, so they can measure the maturity of their cyber security programs.