The need for an insider focus when it comes to cybersecurity was recently highlighted by the release of the Ponemon Institute's annual Cost of Data Breach Study.
Jun 09th, 2013
Without a doubt, data breaches are a serious concern for organizations of all sizes and sectors. The consequences of a data breach, even a relatively small-scale one, can be devastating. Firms will often lose invaluable intellectual property, hurting their ability to compete in difficult markets. Even worse, the exposure of sensitive client information can lead to lawsuits, regulatory fines and a severely tarnished reputation.
With all of these potential risks, it is no surprise that businesses are extremely eager to invest in tools and strategies which may reduce the likelihood of such events transpiring. The only real question is how far to take such initiatives and what kind of resources businesses should leverage to this end.
Often times, companies will focus their efforts on preventing hackers and other cybercriminals from infiltrating the organizations' networks in order to steal valuable information. While this is certainly a very real danger and one which deserves significant attention and investment, preventing external threats is not enough. Additionally, businesses must develop robust tactics and utilize advanced solutions for preventing insider-originated data breaches.
The need for an insider focus was recently highlighted by the release of the Ponemon Institute's annual Cost of Data Breach Study, which found that the majority of data breaches are the result of negligence and system errors, not malicious hackers.
The study included statistics concerning data breaches affecting 277 companies in nine countries. It found that among all of the identified data breaches that occurred in 2012, two-thirds were attributable to inadvertent errors. Specifically, 35 percent were the result of human error or negligence while 29 percent were caused by system glitches.
"Data breaches normally aren't about bad people," explained Larry Ponemon, chairman and founder of the Ponemon Institute, PC World reported. "It's normally about good people making mistakes or business processes that fail."
"While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious," Ponemon added.
The study noted that the average cost per record in the event of a data breach was $136 in 2012, up from $130 the year prior. In the United States, the average cost per record for participating firms was $188. When the cause of the breach was a malicious attack, though, the average cost per exposed record increased significantly in certain regions. Specifically, U.S. companies experienced a cost of $277 per record in these situations, and German firms suffered an average loss of $214.
Overall, the total cost of an average data breach for U.S. organizations was $5.4 million.
A strong defense
As this report demonstrated, an effective data protection strategy must feature a significant focus on data security risks within the organization. In particular, it is essential for decision-makers to do everything in their power to make it easy for employees to protect corporate data without compromising their productivity, and to foster a security-centric culture.
This can perhaps best be seen when it comes to mobile devices. The study found that of the recorded data breaches affecting participating companies, a sizable number involved smartphones and tablets.
As Ponemon noted, there are two key reasons why these devices are particularly vulnerable to data breaches, PC World reported. First, they are simply easier to lose than desktops, and therefore are more likely to fall into unauthorized hands. However, this is only a problem because of the second factor: lax security attitudes.
"They [tablets and smartphones] may also not be the most secure devices, because people see them differently," said Ponemon, according to the news source. "They don't think about safeguarding data on them the way they would with a desktop or laptop."
As employees increasingly use their mobile devices to perform work-related tasks, this blind spot concerning security will become more and more problematic. Companies must make a concerted effort to persuade workers to embrace data protection measures when using mobile devices, as well as when in the office.
However, it is important to note that most workers will only utilize effective security tools if these solutions are simple and not time-consuming. Even a security-conscious worker will be tempted to use less secure methods if the company's data protection solutions hurt his or her productivity on a regular basis.
That is why the end-user experience should be a key factor when firms consider the various secure file sharing, managed file transfer (MFT) and other essential security solutions on the market. Only by choosing security tools that place a minimal burden on employees can firms truly protect their valuable data.
Once these tools have been adopted, managers must regularly remind employees of the importance of using these solutions every time they send files or data sets containing sensitive information.