I always look forward to the insightful reports published by Ponemon Institute, and their latest, “The Post Breach Boom,” didn’t disappoint. The focus of this particular study was on what organizations do after the “Oh, crud!” moment when they discover that a data breach has occurred. There’s a lot of great info here, but I want to hone in on just one of the findings, summarized in a table captioned, “How the Non-malicious Breach Occurred,” or what I might rather title, “The Top 5 Breach Excuses (Heard over the Cubicle Wall).”
Here they are—slightly paraphrased data breach excuses from the Ponemon originals:
- “But I dragged all those files into the recycle bin and emptied it.” The number one cause of security and privacy breaches? The failure to degauss or completely wipe a device containing sensitive data. Digital dumpster diving is alive and well, on the rise, and easier than ever.
- “Have you seen my thumb drive, the one that looks like a little skateboard?” I’m willing to bet that the proverbial “lost device containing sensitive data” will soon overtake the current top offender. Can you spell BYOD?
- “Oops! I think I just cc’d the whole list.” Many non-malicious data breaches occur in the careless transmission or transit of sensitive date to a third party, whether it involves inappropriate data or unintended recipients—or both.
- “You mean I need to password protect my phone?” A close cousin of this one is, “But I’ve never had a problem at Coffeenet Cafe.” Employees routinely compromise sensitive data using insecure Internet applications or connections that get exploited in myriad ways.
- “Hey, you weren’t supposed to see that.” Rounding out the list is the breach resulting from an employee or contractor mistakenly given access to sensitive data. The folks at Cheezburger could have some fun with this one. Play fast and loose with confidential information and it will surely find its way beyond your walls.
Levity aside, breaches are a serious matter, and “insider risk” – even the non-malicious variety – is a primary cause of the trouble. It turns out a little ignorance goes a long way: Ponemon found that uninformed employee or contractor negligence was the leading cause of non-malicious breach incidents. And they’re not cheap, either. While less costly than the malicious variety, non-malicious data breaches were still found to average $500,000 per incident.
Lastly, the research also ventured into the reasons organizations failed to prevent a breach. Topping the list, no surprise, were the familiar people-centric causes:
- Lack of in-house expertise
- Inadequate security processes
- Poor leadership
The good news is that they didn’t stay that way for long. As you might guess, the vast majority of those who suffered a data breach subsequently made the necessary corrective investments (including security awareness training) to prevent their painful recurrence. (Just like the people who installed a security system after they’d been burglarized.) So why not save yourself some money, grief, and a whole lot of professional and market embarrassment by shoring up the most vulnerable endpoint of all – your people – before you’re forced to write that $500,000 check.