back to blog

Most Data Breaches Are Employee Mistakes

Not long ago we revealed that, according to a Kaspersky Lab survey, accidental data leaks by staff are now the biggest source of lost company data. Sophisticated hacking is certainly a contributor but, additional research reveals approximately 60 percent of data breaches are non-hacking related and are attributable to employee mistakes including lost laptops, software errors and common online security mistakes.

Recent events confirm how easy it is for well-meaning employees to open their organizations to vulnerabilities:

  • Social media giant Snapchat recently experienced a data breach that exposed payroll information of 700 current and former employees. How did it happen? The attacker pretended to be Snapchat Chief Executive Evan Spiegel and tricked an employee into emailing over the information. This specific scam has gotten so common the IRS has issued an alert to payroll and HR professionals to be suspicious of any emails asking for personal information about employees, no matter who it appears to come from.
  • Google’s employee information was recently compromised due to a data breach that occurred at a company it uses for benefit management services. A document including Google employee information was accidentally sent from that company to the benefits manager at another company (not Google). Fortunately it ended there (with the email being deleted immediately), but the potential ramifications could have been much worse.
  • One out of 10 laptops is stolen each year, with many containing sensitive corporate data. The healthcare industry may suffer the most from this epidemic. Verizon’s 2015 Data Breach Investigation Report (DBIR) revealed that stolen laptops make up almost half (45 percent) of healthcare data breaches. In some instances, tens of thousands of patient records are compromised in a single incident.
  • Former information security managers at Home Depot told Bloomberg Businessweek that outdated security software might have given hackers an open door to breach the retailer’s payment data systems back in 2014. Outdated software is a problem that spans all organization sizes. While 94 percent of SMBs (small- to mid-sized businesses) think it is important to keep software updated, only 59 percent of companies report their software is always up-to-date.

So, if most data breaches are caused by any number of these mistakes, how can they be avoided?

A Willis Towers Watson study on the subject reveals a well-trained IT staff or IT partner is key. The study found the onboarding process for IT staff is a common blind spot, specifically if new staff is not effectively trained in processes and procedures to manage cyber risk.

According to Steve Waller, owner of Austin-based Technigogo Technology Services, while large enterprise organizations are equipped with in-house IT departments that are able to secure networks quite effectively, the real risk is the smaller business with an outsourced IT service or no IT support at all.

“The damage to a company from a compromised system is beyond the comprehension of most companies in that category,” Waller explains. “The first damage is the loss of valuable data from corruption, encryption or other virus and malware effects. The second, for many industries, is the required disclosure to your customer base.”

Waller adds the trend in regulatory compliance is toward more disclosure, so expect that to become increasingly standard with time. The following steps are what Technigogo Technology Services considers “defensive weapons” that every organization should use.

  1. Secure your internet traffic before the firewall with a threat detection network security platform DNS service. Not only will this keep your staff away from dangerous websites that can load viruses onto your systems, but it can also be used to control or block employee access to time-wasting sites such as Facebook, Twitter, personal email and more.
  2. The next layer of protection is an enterprise-level firewall. According to Waller, there are fantastic options for the small business owner that don’t require thousands of dollars in hardware.
  3. Utilize world-class endpoint protection. These new antivirus products are better than ever, points out Waller, but the market changes often. An IT provider must stay on top of what works best.
  4. Back it up. This is still the only sure-fire protection against today’s ransomware viruses. All servers and critical workstations should have image backups with critical data also backed up offsite to the cloud.
  5. Consider a server with a domain, which affords detailed access control to limit the exposure to your systems and sensitive files.
  6. The last line of defense is training and informing the staff itself. This is still helpful but never in exchange for all the steps above.

“I emphasize training and informing last because, while it’s important, it won’t eliminate your risk alone,” Waller explains. “You absolutely have to employ the five steps above it to expect real results. It’s important to utilize technology, programming and scripts first. We all make mistakes, so eliminating as much of the human burden for your network security is the goal to achieving peace of mind.”

Accidents happen. But, in this digital age, one simple mistake—like sending an email to the wrong person or leaving a laptop unattended—can lead to immense problems for an organization. Do you trust your employees to be as vigilant as they should be or to recognize a problem when they see it?


Image Copyright:  racorn / 123RF Stock Photo