“The fault, dear Brutus, is not in our stars,
But in ourselves…”
-William Shakespeare (in his play Julius Caesar)
Here’s a startling statistic: Insider negligence is more than twice as likely to cause the compromise of insider accounts as any other potential source. This tidbit is found in one of the latest reports from the Ponemon Institute. The report, “Closing Security Gaps to Protect Corporate Data: A Study of US and European Organizations,” sponsored by Varonis, stems from a study conducted to determine the security gaps within organizations that can lead to data breaches and security incidents. A total of 3,027 employees in U.S. and European organizations (United Kingdom, Germany and France) were surveyed, including 1,371 individuals who work in such areas as sales, finance and accounting, corporate IT, and business operations, and 1,656 individuals who work in IT and IT security.
As 2016 heads toward its final quarter, most companies are investing in security–spending on products, beefing up security teams, developing response plans, hiring consultants, etc. All of this helps, but the company is well advised to address what is widely seen as the weakest link: its employees.
Why is it that despite the ongoing cascade of stories about cyber breaches, individuals within companies continue to serve as open front doors to corporate data? Well, in part it’s because as creatures of habit, we become so accustomed to using email, texting, and visiting social media sites so regularly that we do so without thinking. We’re operating by rote—opening, clicking, visiting, and otherwise being consumers of the vast amounts of information and freedom made possible by the digital age. Many of us have seen someone cross a street against the light or drive through a red light while busy on their handheld device. Much like those situations, our tendency to open emails and click on links leaves us wide open to cybersecurity accidents with potential severe repercussions.
Addressing this problem requires a combination of effective technology, better policies and procedures (including restricting access to sensitive data—the report cited earlier says 62% of the employees interviewed said they had access to data whey probably should not be able to see), education and training. Training has to be persistent and detailed to ensure sensitivity to potential breaches is inculcated and retained. As the Bard also said, “What’s done is done,” but there is much left to do to lessen the prospect that your employees will be the source of future cyber mischief.
By Tom Davis, SDI Cyber Risk Practice
August 16, 2016