Bill Blake, President of Fasoo, Inc., joined Dr. Larry Ponemon in a presentation on July 20, 2016 to the Ponemon RIM Council of the findings from the recent Ponemon Institute survey “Risky Business: How Company Insiders Put High Value Information at Risk”. Bill and Larry discussed numerous points highlighted in the survey including how to deal with careless acts by employees and contractors that can ultimately result in a data breach.
The Ponemon RIM (Responsible Information Management) Council is a select group of privacy, security and information management leaders from multinational corporations who are champions within their various industries on issues involving privacy and data protection. Many of the members were very interested in the conversation about company insiders, since many security organizations focus more of their technology and human resource on fighting external threats to sensitive information.
Companies in this study said the primary cause of data breaches was the careless employee (56 percent of respondents) followed by lost or stolen devices (37 percent of respondents) or system glitches (28 percent of respondents). In contrast, only 22 percent of respondents say external attackers or malicious/criminal insiders (17 percent of respondents) caused the breach. It is interesting that organizations believe they are more effective in preventing external attacks by hackers and third parties than careless employees or malicious or criminal insiders, yet the survey points to insiders as being the greater threat. This is in contrast to what many organizations view as the primary threat to their intellectual property and other high value information.
While a lot of focus is on strengthening perimeter security to address external threats, clearly companies need to look internally to prevent accidental exposure of information through careless or malicious acts. Two key areas to remediate these issues are to create training programs that address the common and careless actions prevalent in most companies and take advantage of technologies that allow for self-securing data based on the value of the content rather than relying on employees to decide what is and what is not sensitive and high value information.
Click here to download the full presentation used during the RIM Council meeting.
