While data breaches born of malicious attacks grab headlines, more data thefts are caused by employee negligence and computer glitches, according to a report this week by Symantec and the Ponemon Institute.
Almost two-thirds of data breaches in 2012 could be attributed to negligence or human error (35 percent) and system glitches (29 percent), reported the eighth annual Ponemon Global Cost of a Data Breach study.
Those figures vary by nation, the report showed. For example, Germany had an almost even split between malicious attacks (48 percent) and negligence/glitches (52 percent). By comparison, more than three-quarters of the breaches (77 percent) in Brazil were blamed on human error-system failures.
[See also: Researchers find Java users woefully tardy on patching
A common misconception by organizations is that security policies can eliminate human error, said Tony Busseri, CEO of Route1, a maker of security and identity solutions. "We have this expectation that because there's a policy manual and core training, that people are going to execute perfectly," he said in an interview. "They don't."
"We so often focus on the North Koreans or the Chinese or the bad guys, when in reality we create the large majority of breaches ourselves."
Even the lynchpin of a malicious attack can depend on human frailty, pointed out Timothy Zeilman, vice president of Hartford Steam Boiler, a unit of Munich Re, which released a study this week on cyber attacks on small businesses.
The increased presence of employees' personal devices in the workplace is often cited as a potential source of data breaches, but that hasn't shown up much in the Ponemon data yet. "We had some cases that involved an employee-owned mobile device -- BYOD -- but there aren't many of those," Ponemon said.
There were also some breaches among the nearly 300 companies participating in the study involving mobile devices -- tablets and smart phones. "That makes sense because these are computers and they're easy to lose," Ponemon said.
"They may also not be the most secure devices, because people see them differently," he added. "They don't think about safeguarding data on them the way they would with a desktop or laptop."
For example, the most expensive kind of breach is one caused by a malicious attack. In places like the United States, the average per-record loss to a company victimized by such an attack is $277, and in Germany it's $214. By comparison, it's only $71 in Brazil and $46 in India.
The report also made a number of recommendations for preventing data breaches. They include:
- Educate employees and train them on how to handle confidential information.
- Use data loss prevention technology to find sensitive data and protect it from leaving your organization.
- Deploy encryption and strong authentication solutions.
- Prepare an incident response plan including proper steps for customer notification.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
This story, "Data breaches caused mostly by negligence and glitches, study finds" was originally published by CSO.