Unintentional Yet Damaging Causes of a Data Breach

Data breaches are the number one problem for businesses today, with almost every company needing an efficient IT infrastructure, as well as a strong IT security policy and systems to go with the flow of what the digital age dictates.

What’s alarming, though, is the fact that according to Online Trust Alliance (OTA), 90 percent of data breaches that occurred in the first half of 2014 could have easily been prevented.

What’s worse is that these preventable data breaches occur internally. Businesses are so busy protecting themselves from external attacks or intrusions that they forget the risks hidden within their staff.

A survey among 7,000 IT executives and ordinary employees across North America and Europe revealed that simple loss or theft cause 31 percent of data breaches, with employee misuse coming in a close second at 27 percent.

OTA further confirms this, as it has found that among a thousand breaches reported in 2014, only 40 percent were caused by external attacks, while employees caused an alarming 29 percent — whether accidentally or maliciously.

Unintentional Causes of Data Breach

According to a Forrester Research report, most data breaches are caused by mundane events such as employees losing, having stolen, or simply unwittingly misusing corporate assets. OTA reports that among the breaches caused internally by employees, 18 percent was attributed to lost or stolen devices or documents, and 11 percent by social engineering or fraud.

Accidental insiders, or users that accidentally expose your company to a data breach, are estimated to 25 to 35 percent of a company or organization’s employees. These employees are those with inappropriate access to data they shouldn’t even have access to.

What we need to highlight among all these data is that insider data breaches often occur due to negligence. Human error and social engineering can be exploited to cause data breaches, and this is something we need to focus on.

Operations

Data breaches often happen right in the thick of operations, almost usually because of non-compliance of security policies or standard operating procedures.

Common examples are users copying confidential information to a USB device without using encryption, downloading sensitive data onto a laptop that is of personal use, unintentionally exposing data to non-company users, or downloading it onto a company laptop and misplacing it/having it stolen. It has been predictably noted that arrival of mobile devices and IT consumerization haven’t helped matters.

According to Craig Spiezle, Executive Director and President of OTA, “Businesses are overwhelmed with the increasing risks and threats, yet all too often fail to adopt security basics.”

Releasing guides and best practices isn’t enough to ensure breaches are prevented, whereas strict implementation of policies and continuous user/employee training and retraining are needed.

Administration

Human error accounts heavily when it comes to those involved in the administration of security. According to the 2013 Verizon Data Breach report, 48 percent of all threat actions among 47,000 security incidents accounted for human error.

Common examples are IT employees that misconfigure the system making it vulnerable to attacks, the mismanagement of user access to sensitive projects enabling “permission creeps,” and the IT technician who disposes of hard disks without making sure information in it have been wiped clean.

Since administration users hugely account of unintentional errors, an internal and external audit system will help them look for discrepancies, anomalies, or detect errors early without having a data breach happen. Proper segregation of duties is also needed, or a buddy system to double-check each other’s work. Routinely changing controls can also prevent IT staff from being too lax when it comes to routine work.

Third-Party Vendor Partners

Third-party vendor partners have their own internal procedures and systems for preventing data breaches. What’s important is to ensure that their policies and procedures are aligned with your company’s standards.

Assessing your partners for vulnerabilities through standard compliance guides can help identify weak points. Ask if they segregate their internal systems for other clients, so you’ll be ensured of confidentiality, especially when it comes to cloud services.

While you may be quick to notice that only a quarter of accidental breaches occurs internally, note that when it happens, 35 percent of our time will be spent dealing with them.

A comprehensive IT risk audit can provide a company with solutions on how to address their patching requirements and data loss protection requirements, which were on the items for remediation in the risk assessment activities.