The report “The Human Factor in Data Protection” has indicated that the majority of organizations fault malicious or negligent employees for causing the majority of data breaches. Nearly 80 percent of surveyed executives believe that the behaviors of employees have accounted for at least one breach in the prior two-year period. The top reported causes for the intentional or unintentional errors included the loss of a mobile data-containing device (35 percent), third-party blunders (32 percent), and technical glitches (29 percent). However, 70 percent of those polled agreed that their current organizational security protocols are insufficient to stop hackers or other network-based attacks.
Breaches caused by unintentional actions are typically discovered only by accident (56 percent) and less than one-fifth of respondents (19 percent) reported that employees ever reported the breach, leading to long-term unresolved issues regarding the compromised data. Audits were reported by 37 percent of respondents as the means by which the breach was found while 36 percent said that data-protection software discovered the breach. The report also showed that small and medium-sized businesses (SMBs) are at a greater risk of mishandling of data by employees; 81 percent experience data breaches resulting from mishandled data as opposed to 78 percent experienced by large businesses. Reported risky behaviors undertaken by SMB employees compared to large business employees include opening email spam attachments and links (58 percent vs. 39 percent), leaving computers unattended (77 percent vs. 62 percent), and visiting restricted websites (55 percent vs. 43 percent).
Dr. Larry Ponemon, Founder and Chairman of Ponemon Institute said, “Our conclusion is that most threats posed by employees and those within companies are becoming more prevalent because of the mobility of the workforce, proliferation of mobile data-bearing devices, consumerization of IT, and the use of social media in the workplace. We saw that most surveyed believe their companies are not doing enough to ensure a more effective security infrastructure against hackers and targeted attacks. Combined with data-centric security technology, education and awareness among employees are essential.”