Data breaches caused mostly by negligence and glitches, study finds
While data breaches born of malicious attacks grab headlines, more data thefts are caused by employee negligence and computer glitches, according to a report this week by Symantec and the Ponemon Institute.
Almost two-thirds of data breaches in 2012 could be attributed to negligence or human error (35 percent) and system glitches (29 percent), reported the eighth annual Ponemon Global Cost of a Data Breach study.
However, malicious attacks remain the single highest cause of breaches, with 37 percent of the intrusion pie.
Those figures vary by nation, the report showed. For example, Germany had an almost even split between malicious attacks (48 percent) and negligence/glitches (52 percent). By comparison, more than three-quarters of the breaches (77 percent) in Brazil were blamed on human error-system failures.
"Data breaches normally aren't about bad people," Larry Ponemon, founder and chairman of the institute that bears his name, said in an interview. "It's normally about good people making mistakes or business processes that fail."
A common misconception by organizations is that security policies can eliminate human error, said Tony Busseri, CEO of Route1, a maker of security and identity solutions. "We have this expectation that because there's a policy manual and core training, that people are going to execute perfectly," he said in an interview. "They don't."
"We so often focus on the North Koreans or the Chinese or the bad guys, when in reality we create the large majority of breaches ourselves."
Even the lynchpin of a malicious attack can depend on human frailty, pointed out Timothy Zeilman, vice president of Hartford Steam Boiler, a unit of Munich Re, which released a study this week on cyber attacks on small businesses.
"There are a number of ways that cyber attacks can be orchestrated," he said in an interview. "But one of the common ways to do it is to take advantage of some weakness in human nature by getting someone to open an email or do something they shouldn't do if they were mindful of computer security at all times."
The increased presence of employees' personal devices in the workplace is often cited as a potential source of data breaches, but that hasn't shown up much in the Ponemon data yet. "We had some cases that involved an employee-owned mobile device -- BYOD -- but there aren't many of those," Ponemon said.
There were also some breaches among the nearly 300 companies participating in the study involving mobile devices -- tablets and smart phones. "That makes sense because these are computers and they're easy to lose," Ponemon said.
"They may also not be the most secure devices, because people see them differently," he added. "They don't think about safeguarding data on them the way they would with a desktop or laptop."
The Ponemon-Symantec study also noted that the average per-record cost of data breaches around the world increased this year over last -- to $136 from $130. However, those numbers, too, varied by region and breach type.
For example, the most expensive kind of breach is one caused by a malicious attack. In places like the United States, the average per-record loss to a company victimized by such an attack is $277, and in Germany it's $214. By comparison, it's only $71 in Brazil and $46 in India.
The report also made a number of recommendations for preventing data breaches. They include:
- Educate employees and train them on how to handle confidential information.
- Use data loss prevention technology to find sensitive data and protect it from leaving your organization.
- Deploy encryption and strong authentication solutions.
- Prepare an incident response plan including proper steps for customer notification.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.