The vast majority of data breaches are the result of the errors, oversights, or deliberate mischief of individual employees.
A 2015 study by CompTIA attributed 52% of all incidents to “human error.” Statistics reported by the UK’s Information Commissioner’s Office in 2016 put the figure at 62%.
Michael Bruemmer, vice president of Experian Data Breach Resolution, noted that “about 80% of all the breaches we service have a root cause in some type of employee negligence.”
Instead of instituting a campaign touting “Only you can prevent data breaches,” both the victim organizations and the press usually foster a narrative of data breaches that emphasizes the frightening technological offense, rather than the humble human defense.
The overall impression is that data breaches are the result of enemy nation states, hacktivists, organized crime, and other evil forces who have leveraged the skills of armies of young technologists to unleash unrelenting attacks on American businesses and their information assets—which is of course true. The presence of barbarians at the gate should be the reason to ensure the day-to-day users who operate the gate do not unwittingly them in.
Gartner has estimated that cybersecurity spending will exceed $1 trillion over the next five years—to be spent in large measure on technology and cybersecurity professionals. Meanwhile spending on cybersecurity employee awareness training is estimated to reach just $10 billion over the next ten years—a far smaller slice of the pie. Yet a single employee’s mistake can open the gate to the barbarians and render all that supporting technology moot.
Prudent Digital Behavior
Where the responsibility for information security once was the province of computer science specialists, the PC revolution shifted that responsibility onto individual users who sometimes struggle to know how to turn their computers on. Yet it is the individual users who form the ultimate boundary between an organization’s information system and the outside world, and their behavior has direct and tangible effects on the security of that boundary.
Nowhere is this more evident than in the case of phishing attacks. No matter how well hardened a network, or how sophisticated and robust the technology girding its defense, the most vulnerable spot will always be the channels of communication that necessarily flow into the network from the outside.
The common thread of many recent stories is that user behaviors which were exploited by the malicious attackers were not especially high-tech in nature. Not clicking on links in emails, not re-using passwords, deploying available tools like encryption and two-factor authentication, and running regular backups are relatively easy and inexpensive actions that, if they were simply more common and reflexive on the part of users, would have imposed significant barriers to the attackers in many of the most headline-grabbing recent incidents.
Effective employee awareness training can be the differentiator between those organizations that are merely targeted by attackers, and those that are actually victimized by them.
The old story goes that two men in the jungle spot a lion. One man starts lacing up his running shoes. The other asks, “Do you really think you can outrun a lion?” “No,” the runner replies, “I think I can outrun you.” There are determined attackers out there, with deep resources to launch coordinated, targeted, sophisticated attacks. Why make it easy for them?