As organizations collect large amounts of sensitive information about their customers, they have the responsibility to properly protect it. With new legislation coming into effect like the EU’s GDPR and the CCPA, the importance of data protection and the potential costs of failing to protect sensitive data grow.
Data breaches can have a devastating impact on an organization, and many businesses are incapable of recovering after a breach. While most businesses are working to put defenses in place against external threats to data security, this is not sufficient. While external threat actors, like cybercriminals, are the leading cause of data breaches, a significant portion are caused by an organization’s employees. While these individuals must be trusted with this data in order to do their jobs, they also create a significant risk of it being breached.
Targeting the Weakest Link
There are a variety of different ways that an attacker can gain access to an organization’s internal network. These range from physically breaking into the building and sitting down at an employee’s computer to performing cyberattacks from halfway across the globe. In general, most of the potential ways to attack an organization will probably work, but some are easier than others. In the beginning, hacking was a hobby with computer nerds trying to break into systems and bypass defenses just to prove that they could. However, in the modern world, cybercrime is a business, where organized crime groups try to steal personal information and other valuable data for resale or their own use.
With the commercialization of hacking, cybercriminals are focused on making a profit, and this requires taking the most efficient approach to their goal. While exploitation of known software vulnerabilities is one commonly used approach, it is relatively easy for an organization to deploy patches to fix the issue.
Protecting against the human threat, on the other hand, is much more difficult. Software-based defenses have to give up some security for usability. In many cases, the software relies on the human to make the right decision, like whether or not to click on a link in an email or how to configure security settings in a cloud deployment.
However, humans are relatively easy to trick, which is why over 99% of cyberattacks rely upon a human taking some action to advance the attack.
The Human Threat to Data Security
In the modern world of big data and data protection regulations, the threat of the data breach is one of the biggest facing most organizations. These companies collect vast amounts of their customers’ personal data as a core part of doing business. The intention may vary from collecting payment card data for transaction processing to the large-scale data collection and processing performed by social media to sell targeted advertising, but the end result is the same. These organizations have massive amounts of sensitive data in their care that can have significant impacts if it is leaked. While the government often installs Sensitive Compartmented Information Facilities (SCIF) in their buildings, for smaller companies this can be impractical and other solutions are needed.
In general, cybercriminals don’t care how they gain access to sensitive data as long as they can. While 51% of data breaches are caused by hackers, almost a quarter (24%) are caused by human error. This probably understates the level of involvement that employees have in data breaches, since many hacker-driven breaches likely exploit employees through phishing and other means, but it demonstrates that an organization’s employees are one of the leading threats to the security of the data in their care.
Data breaches caused by employee negligence can occur in a variety of different ways. A common story is that sensitive or confidential business data is stored on a cloud deployment with security set to public, allowing anyone with knowledge of the URL to access it (and tools exist for scanning for these insecure cloud instances). One way businesses could avoid this is to store their business data using various solutions such as 4D Data Centres or other storage options, and have the access abilities restricted to those that are highly trusted. Having data stored in these centres can also allow for the easy monitoring of any employee footprints within data sets. However, employees can also accidentally leak sensitive data in a variety of other ways, including (but not limited to) failing to properly dispose of sensitive printed documents, using reply-all on email chains, and losing a USB drive, smartphone, or laptop containing proprietary information.
In many cases, cybersecurity awareness training or the organization’s policies and procedures cover the exact situation that led to data breaches caused by employee negligence. However, people forget things, make mistakes, or prioritize the ability to do their job over security. Unlike software, which can be patched once and remain secure against that particular attack forever, humans need repeated training to protect against dangerous cybersecurity behaviors. And even then, a well-trained human can still make a mistake that leads to a breach.
Protecting Sensitive Data from Employee Negligence
Employee negligence and the ability of cybercriminals to take advantage of human behavior are behind the majority of data breaches. As data protection regulations become more common and the cost of a breach grow, businesses need to do everything that they can to protect themselves against becoming the victim of a breach.
Employee cybersecurity awareness training is a vital component of this, as a well-trained employee is much more likely to properly identify and respond to a potentially dangerous situation. However, people make mistakes and organizations cannot rely on training alone to protect them. Protecting against data breaches requires deploying a data security solution that is capable of identifying sensitive data, testing its defenses, and monitoring access patterns for suspicious anomalies. This allows an organization to detect and respond to employee negligence before it becomes a threat to the business.