Maybe we've been making a mistake all these years, plowing the majority of our IT security resources into new security approaches and technologies. More and more studies are showing that human error is behind a significant number of security breaches.
This is not to say, of course, that companies can dramatically scale back their IT security budget allocations or that earlier investments were all in vain. Security technology is a necessity now for even the smallest firm. However, the growing evidence that human error is to blame for much of companies' IT mishaps is well worth highlighting.
"While sophisticated software and monitoring/detection systems have become more widely adopted, our data suggests that many security breaches still result from low-tech missteps," according to Gerald Ferguson, co-leader of BakerHostetler's Privacy and Data Protection Team, which issued one of the reports.
"Chief information security officers should combine general security awareness training with state-of-the-art data security architecture, to minimize vulnerabilities."
But first, the numbers. Here's a sample of what we've learned just recently:
BakerHostetler reported that in the incidents that the firm worked on last year, employee negligence was responsible 36 percent of the time. That was followed by theft by outsiders (22 percent), theft by insiders (16 percent), malware (16 percent) and phishing attacks (14 percent).
Perspecsys noted that 22 percent of the cyber security professionals it surveyed at the recent RSA Conference 2015 felt "human error" was the greatest threat to their organizations.
CompTIA noted that 52 percent of US executives believe human error is a growing factor in security incidents.
This is not a problem limited to the U.S. either. Several months ago, the London-based Egress Software Technologies reported its findings from a Freedom of Information request to the Information Commissioner’s Office. In short, there was a worrying increase in data breaches as a result of human error.
The Value of Self-Detection
One reason to bring attention to this issue was highlighted in the BakerHostetler report: it found that incidents were self-detected 64 percent of the time. Unfortunately, there were not detected in a timely enough manner. The report found that the average amount of time that elapsed from incident occurrence to detection was 134 days.
A timely response is crucial for a number of reasons, including being able to mitigate damage and exposure of data as quickly as possible, the ability to recover forensic evidence that could disappear after a period of time, and getting ahead of the breach before it is made public by a third party.
The need for fast detection is underscored by a finding in the Egress Software report: the training provided, and growing awareness of IT threats in general, is having little impact on workers. Because the rate of human error behind security breaches is actually growing, companies must automate as many processes as possible.
"Of course, we will never be able to completely rule out people making mistakes but clearly safeguards are urgently needed," Egress Software Technologies Tony Pepper said.
"Confusion can often put confidential data at risk, with users unsure of when and how to encrypt," he said, adding that companies' continued reliance on fax and postal mail, which its report also uncovered "demonstrates a disturbing lack of care and control taken to sensitive information."
And while they are at it, companies should plug the remaining holes in their security safety nets as they related to staff.
CompTIA found that increased use of social media by workers was one of the reasons behind human-made security errors, as was the failure of staff to get up to speed on new avenues of threats, such as mobility and the cloud.
Not that all blame can be laid at the feet of the workers: CompTIA also found that inadequate resources -- that is, not enough IT staff to manage security threats – was behind 20 percent of the breaches in the U.S. that were attributable to human error.