Breaches caused by outside hackers get the most press. For example, the recent Equifax breach that resulted in the release of confidential data on 143 million Americans was carried out by external hackers who may have been state sponsored. The breach resulted in Equifax’s chief executive officer, chief information officer, and chief security officer all losing their jobs.
However, the hackers were able to penetrate Equifax’s network because an employee failed to deploy a routine patch for a vulnerability in the Apache Struts web-application software.
The reality is that many data breaches occur due to employees’ intentional or unintentional actions. In fact, according to data from global brokerage firm Willis Towers Watson, two-thirds of breaches are the result of employee negligence or malicious acts.
In this blog, we will focus on data breaches caused by human error.
Data Breaches and Human Error
First and foremost, many employees use poor password practices. Verizon’s 2017 Data Breach Investigations Report (DBIR) found that 83 percent of hacking-related breaches leveraged stolen or weak passwords.
One way employee passwords are stolen is to trick individuals into giving hackers their passwords, through a technique known as phishing. Unfortunately, many employees still fall for phishing and other social engineering tricks. In fact, DBIR found that 43 percent of breaches involved social engineering. More training is definitely needed to help employees avoid emails and other phishing tactics designed to compromise systems and networks.
In addition, employees who send or take sensitive files outside of the company are risking loss or theft of those files and the sensitive data contained within them. A recent example of this risk was the decision of a Boeing employee to send personal details of ~36,000 employees in a spreadsheet to his spouse for help with formatting. This was obviously not a malicious act, but still put a huge amount of employee data at risk.
With the move toward a mobile workplace, devices containing sensitive information are leaving the office in droves. While this no doubt improves employee productivity, it also poses a risk to sensitive data if a device is lost on the subway or stolen from an employee’s car.
Finally, improper disposal of devices and/or sensitive data poses a risk to corporate data. This can occur when devices are not wiped or paper documents are not shredded when they are disposed of. For example, sensitive documents containing personal information on military veterans were found blowing around a Boston suburb after the city government had contracted with a document shredding company.
What Can You Do?
So, what can you do to combat the security risks posed by negligent or careless employees?
The first step is to survey your company’s employees to see where you stand in terms of cybersecurity knowledge. You can use this data to determine where your greatest risks lie.
Then, you should launch or update your data security awareness and training program based on those results. Training employees on your company’s security policies and procedures should be part of the onboarding process and should be included in periodic training, advises Will Daugherty, counsel with BakerHostetler’s Privacy and Data Protection team.
To help employees combat phishing, your company can undertake a simulated phishing program to test their ability to recognize phishing emails. These programs help you measure your employees’ baseline susceptibility to phishing, identify those users that need additional training, and measure your company’s progress toward reducing phishing risk.
Another step your company should take is to implement full encryption of devices and portable storage that contain sensitive information. Related to this, you should consider deploying data loss prevention software to prevent employees from sending sensitive information outside the corporate network without authorization.
Of course, companies should implement an access rights and privileges policy that ensures employee access to only the data necessary to do their jobs. This is known as the least-privilege principle.
To help ensure employees have access based on the least-privilege principle, your company should implement multi-factor authentication. MFA, in combination with a strong password policy, will ensure access to sensitive data is restricted to the appropriate people.
You can’t stop employees from making mistakes, but you can lessen the risks to your company posed by careless or negligent employees. By taking the steps outlined above, you can target and hopefully eliminate the leading cause of data breaches.Identity Automation can help as you implement these steps. As a start, check out our ebook, The Three Types of Rogue Employees and How to Stop Them, on insider threats and what you can do to protect your organization.