The risk of data breaches by employees and other trusted insiders is getting a lot of attention lately. A recent survey by The Ponemon Institute found that employee negligence is a greater risk than malicious intent when it comes to data security problems. Unintentional mistakes, which may be caused by multitasking and working long hours, can result in insider threats and cost companies millions of dollars each year.
The survey report, “The Unintentional Insider Risk in United States and German Organizations,” found that it can cost a US company as much as $1.5 million and Germany companies €1.6 million in time wasted responding to security incidents caused by human error. This doesn’t even count the fines and legal problems that may arise from these incidents. The survey, commissioned by Raytheon|Websense, found that 70 percent of US and 64 percent of German respondents report that more security incidents are caused by unintentional mistakes than intentional and/or malicious acts.
Disturbing findings show that many senior executives do not consider data security a priority. While those in highly regulated industries, like healthcare and financial services, may be forced to focus on protecting personally identifiable information (PII) and personal health information (PHI), many are doing the bare minimum to be compliant. For others, this may not even be on their radar.
“Maliciousness is tagged as the leading cause in insider threat discussions, but the impact of negligence cannot be overlooked,” said Ed Hammersla, president of Raytheon|Websense. “As the Ponemon study reveals, security incidents are caused by negligence which leads to a decrease in IT productivity. Workplace stress, multitasking, long hours and a lack of resources and budget are the biggest contributors to employee negligence. Having programs in place that include a mixture of training, policy and technology are vital to addressing insider threats before they become a major issue.”
One example that we can all relate to is accidentally sending an email attachment to the wrong person. I know of an incident where an HR staffer accidentally sent a spreadsheet with employee contact information to everyone in the company. What the person failed to realize was there were hidden columns that showed people’s social security numbers, salaries and bonus opportunity. That email was also sent to partners, because the HR staffer thought it would be valuable to have contact information for easier communication.
People with too much to do can be careless and cause these types of problems. They unintentionally share documents containing sensitive information with unauthorized internal and external people. The best way to protect your company from data breach incidents like this is to eliminate the person from the equation and automatically lock documents as soon as someone creates them.
By encrypting documents and applying persistent security policies to them automatically, sensitive information is protected regardless of where it goes. If the HR staffer in the previous example had this type of protection on that spreadsheet, he could have immediately revoked access to the document. If anyone inside or outside of the company tried to open it, they would have been denied access. No data breach.
Unintentional employee negligence may be the new normal as everyone is trying to do more with less. Help people protect themselves from an “oops moment” by protecting your most valuable data with data-centric security. The next time you are asked to do a survey like this you can state that you have dramatically reduced your risk of an insider threat.
Photo credit Tom Woodward