The threat of cyberattacks on U.S. organizations continues to be a major concern among business leaders. The chair of the U.S. Securities and Exchange Commission said in a recent speech that the cyber threat to U.S. businesses is the “biggest risk we face.”
Almost on cue, the U.S. Justice Department’s National Security Division reported the cyber victimization of several U.S. firms to hedge fund leaders.
To gain information about the cause of today’s data security problems, the law firm of BakerHostetler examined the over 200 data security incidents the firm managed in 2014. The firm was able to identify the cause in 139 of them, and found that most security problems (36 percent) were the result of employee negligence. Twenty-two percent were caused by theft from outsiders; 16 percent from inside threats; 14 percent from malware; and 11 percent from phishing attacks.
Experts who worked on the survey believe problems arise when employees bring home sensitive files in their efforts to be more efficient and productive. They will often ignore organizational policies that restrict the types of files that can be taken from the workplace, and then they download information on to unsecured hard drives.
The report also found most organizations are quick to identify a security issue, but lack the procedures to quickly work toward a resolution. Ellen Rosen “Human Error Biggest Cause of Data Breach: Survey,” bol.bna.com (May 11, 2015).
Human error accounts for most data breaches. The good news is that policies and training can help correct most human errors.
– Policies about uploading employer data onto personal devices are an important first step, but they are not the only step.
– Employers should orientate employees on the policy and explain why it is so important.
– Along with orientation, employers must train employees to avoid data loss from employee negligence.
– Employee cyber negligence includes loss of data via stolen mobile devices; Wi-Fi interceptions, phishing and other poor practices.
– The constantly changing nature of cyberthreats requires employee training to be a continuous effort, rather than a “one and done” endeavor. Keeping employees informed of the latest threats will limit employee mistakes, and prevent most hacks.
– It is also important employees understand the importance of specific policies and procedures and how their actions can introduce serious risk.