Oct 25 2013

Survey Shows Innocent Employee Mistakes Are Biggest Source of Breaches

The best approach to IT security prevents company employees from being their own worst enemies.

Sometimes, things happen. But when these things turn out to be devastating data breaches, innocent mistakes can turn sinister.

An eye-popping 36 percent of breaches are the result of “inadvertent misuse of data by employees,” according to an article in PC World. The data comes from Forrester’s “Understand the State of Data Security and Privacy” report, and it paints a stark picture that every IT worker should keep in mind when considering any kind of security planning.

While security awareness might be one part of a solution for this conundrum, the reality is that awareness and education alone can’t bridge the gap.

In the PC World story, Heidi Shey, a Forrester analyst and the report’s author, outlines a three-pronged approach for companies:

The framework is split up into three parts, the first of which involves a company defining its data, the very thing it wishes to protect. So aspects like data discovery, classifications, and determining what exactly the company values all come into play here.

Then companies need to dissect their data. Companies typically have traditional reporting tools, said Shey, which tell them about alerts and events. They can then analyze this data and see what information they can glean about visibility, their environment, and what exactly is going on in that environment. They can also look at data flows to see where it goes and how it's being used. By looking at their security data and info about their data, companies can determine the requirements that need to be put on the type of data they're handling.

The final part of the framework is, of course, defending. Defending and inspecting access controls, proper data disposal (getting rid of data that is no longer needed, as it could be a liability), and killing or encrypting data are all imperative in carrying out the last step of the data control framework.

As the saying goes, a team is only as strong as its weakest player, and in this case, a security solution or plan is only as strong as its least informed employee.

What kinds of security plans or solutions has your company put in place to help prevent employees from leaving the corporate backdoor open?