Related Stories

  • IBM: Top threats include data breaches, BYOD, browser exploits
    When it comes to trends in security for 2012 so far, the landscape has seen a sharp increase in browser-related exploits, like recent ones for Internet Explorer and Java, along with renewed concerns around social media password security and continued disparity in mobile devices and corporate bring-your-own-device (BYOD) programs.
  • Comment: There’s Much to Learn from Recent Data Security Breaches
    SafeNet’s Jason Hart looks at what the security industry has learned from last year’s data breaches and reiterates the importance of encrypting all data to ensure comprehensive protection against the latest security threats
  • UK data breaches skyrocket more than 1,000%
    The UK’s Information Commissioner’s Office (ICO) has discovered skyrocketing growth in the number of self-reported data breaches in the last five years, with staggering quadruple-digit figures in the mix. The average percentage increase across sectors since 2007 is 1,014%.
  • Most security professionals predict breaches will increase this year
    A disturbing 93% of IT security professionals believe that data breaches will increase this year, according to nCircle’s 2012 Information Security and Compliance Trend study.
  • Cost of data breaches outstripping inflation
    The average cost to UK business per record lost, according to the latest Symantec/Ponemon study, has increased from £47 in 2007 to £79 in 2011. Had it been inflation alone, it would have increased to just over £53.

Top 5 Stories


Most data breaches come from within

24 September 2012

While the data breach events that catch headlines are the work of hacking collectives and professional malware writers, it turns out that the vast majority of information compromises come at the hands of a much less nefarious source: the firm’s own unwitting employees.

According to new research from Forrester, only 25% of data breach cases are the work of external attackers. And only 12% of them were perpetrated by insiders with ill intent. That leaves 63% of the issues caused by something more mundane, like losing or misplacing corporate assets, the report has found. Physical theft of items like laptops and smartphones is part of the 63% as well, as is “inadvertent misuse” of company privileges and equipment.

“It’s not simply just a matter of having the appropriate tools and controls in place. It’s worth noting that only 56 percent of information workers in North America and Europe say that they are aware of their organization’s current security policies,” said researcher Heidi Shey in the report.

As for the victims of the breaches, employee and customer personal data accounted for 22% of cases reported, while intellectual property accounted for 19%. Sensitive identity management credentials like user names and passwords came in at 11%.

Forrester questioned more than 7,000 employees across North America and Europe for the survey, and also found that consumerization and the bring-your-own-device (BYOD) trend are fueling mobile security concerns in the enterprise.

Around 30% of survey respondents said that they didn’t think there was enough of a dividing line between consumer and corporate data on mobile devices. That spurred 39% to say that they worried about a lack of data leak prevention on mobile devices, with half concerned about the consequences of simple physical theft.

And indeed most organizations seem to have policies when it comes to mobile security, but most of them don’t have adequate protections in place because they lack the tools required to enforce those policies, Forrester found. While most mobile devices have native capabilities as measures against breaches – such as passcodes or passwords, and remote lock and wipe – almost 25% of those surveyed said they don’t have any form of data protection implemented on their devices.

All in all, it seems that employee training for security awareness is in order. “Whether their actions are intentional or unintentional, insiders cause their fair share of breaches,” wrote Shey.

This article is featured in:
Compliance and Policy  •  Data Loss  •  Identity and Access Management  •  Industry News  •  Internet and Network Security  •  Security Training and Education  •  Wireless and Mobile Security



ansleyheffner says:

05 October 2012

Wow, I can't believe only 36% of security breaches are external. Lost devices seem to be a bigg problem. For us, we knew it was an issue, since we are a hospital, and if a doctor looses thier cellphone and they have sent patient info by text or attachment, then we have a HIPAA violation and can get a fine or lawsuit. We have been struggling with this issue for some time now, but recently we installed a BYOD policy and paid for the doctors to use the Tigertext app for thier devices which is a secure texting app that is HIPAA complient and auto deletes the messages from the device so if they are lost or stollen we can still maintain compliance. It is not a full solution, but it takes care of what seems to be 64% of the problem.

lkovnat says:

25 September 2012
Your article caught my eye because the results are consistent with a conclusion from a survey Xerox and McAfee recently commissioned. More than half (54 percent) of employees say they don’t always follow their company’s IT security policies (33 percent) or aren’t even aware of the policies (21 percent). The results are dismal enough for the desktop and even worse for printers and MFD’s. For example, only 13 percent of employees whose workplace has a printer, copier or MFP said they are prompted to enter a password or passcode on the MFP before releasing a job they’ve printed or accessing the ability to copy. The conclusion is that either the is no policy for these devices to begin with, or if there is, the policy isn’t being enforced. The IT staff and the end users themselves are on the front-lines but they need to be backed up with the necessary training to avoid unnecessary data leaks. Larry Kovnat, Sr. Mgr. Product Securty, Xerox Corporation

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×