Surveys: Employees at fault in majority of breaches

A company's own employees are a significant factor in the majority of data breaches, either through malicious activity or avoidable mistakes, say two new studies, but companies aren't doing enough to address this issue.

According to a recent survey by CompTIA, human error accounts for 52 percent of root causes of security breaches, while technology errors account for 48 percent.

However, human error ranks as a serious concern for less than a third of respondents.

"The main reason that companies exhibit a low level of concern over human error is that it is a problem without an obvious solution," said the report. "A high level of concern over malware or hacking can be addressed with an investment in technology."

But human error can only be addressed with training, and there are few metrics to evaluate the effectiveness of training, said the report, which was released just over a week ago.

Meanwhile, the SANS Institute released its own survey yesterday showing that negligent employees accounted for the majority of concerns that companies had about insider threats, more than malicious employees, and all contractors, clients, partners and other affiliates combined.

But 32 percent of respondents said that they did not have the ability to prevent an insider incident or attack. A slight majority of respondents, 51 percent, said that lack of training was limiting their ability to deal with insider threats, 43 percent cited budget issues, 40 percent said they did not have sufficient staff, and 40 percent pointed to a lack of technology solutions.

Beyond education

Security experts were quick to suggest technical solutions to address the problem of both negligent and malicious employees.

"Our position has been that IT has been overwhelmed for the last decade trying to keep systems secure using essentially manual methods," said Philip Lieberman, president at Los Angeles-based Lieberman Software Corp.

He recommends that companies use more automated tools to manage access and credentials.

"Security awareness is a must, but it's a slow and difficult task, and as CompTIA study shows human error is still the largest factor behind security breaches," said Igor Baikalov, chief scientist at Los Angeles-based Securonix, Inc.

"The game changer," he said, "is continuous risk monitoring through automated analytics."

It can detect human error, reduce false positives, and lower incidence response times, he said.

"Humans were always considered to be the weakest point of the IT security chains -- and the more privileges they have, the more risk they pose to the corporate network," said Péter Gyöngyösi, product manager at Luxembourg-based BalaBit IT Security.

Gyöngyösi suggests that companies deploy technology that learns typical employee behavior patterns and then watches for anomalies, with the most attention paid to the employees with the highest priviledges.

Beyond IT

Another problem is that dealing with employees, whether negligent or malicious, requires a different set of processes than battling external threats, said Mike Tierney, COO at Vero Beach, FL-based SpectorSoft Corp., which sponsored the SANS study.

"It requires a different team, a different way of handling things because you're dealing with employees inside your company, and they have legal rights," he said.

Both prevention and response can require action by human resources, legal and other company departments, not just IT.

Tierney recommends that information security managers reach out to those departments, not just after a breach occurs, but proactively, to help prevent them.

For example, if an employee applied for a promotion and was rejected, or a salesperson was put on a performance plan but was about to miss their targets and be fired, these could be early indicators of potential problems.

For privacy reasons, human resources may not be able to provide the details of each situation.

"But they could say that there's elevated risk," Tierney said. IT can then respond by improving the awareness of that particular employee.

"I think that can go a long way," he said.

How big a problem are insiders, anyway?

Both of the new surveys, however, go counter to other studies about the causes of security breaches.

For example, according to Verizon, internal actors were responsible for an average of 11 percent of all breaches in 2010, 2011, 2012 and 2013. Partners were responsible for less than 1 percent of breaches.

According to Tierney, that's because a lot of the insider cases are being missed.

"Seventy five percent of insider crimes go unreported or are not prosecuted," he said.

In fact, according to last year's CERT report, not only did 75 percent of companies handle insider threats internally without any legal action, only 10 percent involved law enforcement, with most of the rest handling incidents with internal legal action.

Join the CSO newsletter!

Error: Please check your email address.

Tags SANS Institutesecurityinsider threatscomptiasecurity awareness

More about Beyond ITCompTIAInc.IT SecurityLieberman SoftwareSANS InstituteVerizonVero

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place