A company's own employees are a significant factor in the majority of data breaches, either through malicious activity or avoidable mistakes, say two new studies, but companies aren't doing enough to address this issue.
According to a recent survey by CompTIA, human error accounts for 52 percent of root causes of security breaches, while technology errors account for 48 percent.
However, human error ranks as a serious concern for less than a third of respondents.
"The main reason that companies exhibit a low level of concern over human error is that it is a problem without an obvious solution," said the report. "A high level of concern over malware or hacking can be addressed with an investment in technology."
But human error can only be addressed with training, and there are few metrics to evaluate the effectiveness of training, said the report, which was released just over a week ago.
Meanwhile, the SANS Institute released its own survey yesterday showing that negligent employees accounted for the majority of concerns that companies had about insider threats, more than malicious employees, and all contractors, clients, partners and other affiliates combined.
But 32 percent of respondents said that they did not have the ability to prevent an insider incident or attack. A slight majority of respondents, 51 percent, said that lack of training was limiting their ability to deal with insider threats, 43 percent cited budget issues, 40 percent said they did not have sufficient staff, and 40 percent pointed to a lack of technology solutions.
Security experts were quick to suggest technical solutions to address the problem of both negligent and malicious employees.
"Our position has been that IT has been overwhelmed for the last decade trying to keep systems secure using essentially manual methods," said Philip Lieberman, president at Los Angeles-based Lieberman Software Corp.
He recommends that companies use more automated tools to manage access and credentials.
"Security awareness is a must, but it's a slow and difficult task, and as CompTIA study shows human error is still the largest factor behind security breaches," said Igor Baikalov, chief scientist at Los Angeles-based Securonix, Inc.
"The game changer," he said, "is continuous risk monitoring through automated analytics."
It can detect human error, reduce false positives, and lower incidence response times, he said.
"Humans were always considered to be the weakest point of the IT security chains -- and the more privileges they have, the more risk they pose to the corporate network," said Péter Gyöngyösi, product manager at Luxembourg-based BalaBit IT Security.
Gyöngyösi suggests that companies deploy technology that learns typical employee behavior patterns and then watches for anomalies, with the most attention paid to the employees with the highest priviledges.
Another problem is that dealing with employees, whether negligent or malicious, requires a different set of processes than battling external threats, said Mike Tierney, COO at Vero Beach, FL-based SpectorSoft Corp., which sponsored the SANS study.
"It requires a different team, a different way of handling things because you're dealing with employees inside your company, and they have legal rights," he said.
Both prevention and response can require action by human resources, legal and other company departments, not just IT.
Tierney recommends that information security managers reach out to those departments, not just after a breach occurs, but proactively, to help prevent them.
For example, if an employee applied for a promotion and was rejected, or a salesperson was put on a performance plan but was about to miss their targets and be fired, these could be early indicators of potential problems.
For privacy reasons, human resources may not be able to provide the details of each situation.
"But they could say that there's elevated risk," Tierney said. IT can then respond by improving the awareness of that particular employee.
"I think that can go a long way," he said.
How big a problem are insiders, anyway?
Both of the new surveys, however, go counter to other studies about the causes of security breaches.
For example, according to Verizon, internal actors were responsible for an average of 11 percent of all breaches in 2010, 2011, 2012 and 2013. Partners were responsible for less than 1 percent of breaches.
According to Tierney, that's because a lot of the insider cases are being missed.
"Seventy five percent of insider crimes go unreported or are not prosecuted," he said.
In fact, according to last year's CERT report, not only did 75 percent of companies handle insider threats internally without any legal action, only 10 percent involved law enforcement, with most of the rest handling incidents with internal legal action.