Insider data breaches -- wanton and accidental -- continues to be the largest concern of IT leaders, find a survey by Egress. The report, titled Insider Data Breach Survey 2020, that surveyed IT leaders and employees from the Benelux region, as well as the US and UK, said 97 percent of respondents list insider data breaches are a major point of worry.
“All too often, organisations fixate on external threats, while the biggest cause of breaches remains the fallibility of people and an inherent inability of employees to send emails to the right person. Not every insider breach is the result of reckless or negligent employees, but regardless, the presence of human error in breaches means organisations must invest in technology that works alongside the user in mitigating the insider threat,” commented Tony Pepper, CEO of Egress.
While a breach can happen at any vertical of the business, employee data including personal identifiable information (PII) and salary information stands at the top of the list for both accidental and intentional internal breach risk. Company intellectual property comes next, followed by customer data including personal identifiers.
The last category invites serious regulatory penalties. As expected, 41 percent of the respondents said the biggest damage of these breaches would be financial, irrespective of the reason.
“This is a predictable result of the introduction and enforcement of stringent data privacy legislation. In the UK, the ICO has fired a shot across the bows by pressing for unprecedented penalties for British Airways and Marriott Hotels for non-compliance with GDPR. For US IT leaders, the newly implemented California Consumer Privacy Act (CCPA) from January 2020 brings with it a penalty structure that means fines could eclipse even those available to GDPR regulators,” said the report.
“The direction of travel for privacy regulations worldwide is clear: non-compliance comes with a considerable price tag attached.”
Departing employees account for more than half of all insider threat incidents, with two out of three professionals openly admit to taking data with them when they quit, SC Media UK reported earlier.
As a result, IT leaders have grown more suspicious of employees, said the report.
Close to 80 percent of IT leaders think employees have put data at risk accidentally in the last 12 months, while 75 percent think employees have put data at risk intentionally. Among employees, 27 percent said they or a colleague have accidentally shared or leaked company information externally, while 29 percent said they or a colleague have intentionally shared or leaked company information externally. All these have led to an increase in organisational cynicism.
“This increase in cynicism points to a more nuanced understanding by IT leaders that even employees with the best intentions – those who are just trying to get the job done – can still intentionally breach company policy and put data at risk. And IT leaders recognise this, believing that staff sharing data to personal devices is the most common type of intentional risk,” said the report.
An analysis of the data breach disclosures at the UK’s Information Commissioner’s Office (ICO) by CybSafe shows that human error was behind 90 percent of them. ICO received a total of 2,376 reports in 2019, up from 540 in 2017 and 1,854 reports in 2018, the year that GDPR came into force.
Of those breaches, 90 percent could be attributed to mistakes made by end-users. The number was 61 percent in 2017 and 87 percent in 2018.
“The statistics Egress obtained from the ICO, through a recent Freedom of Information request, revealed that 60 percent of 4,856 personal data breaches, recorded between January and June 2019, were the result of human error,” said Pepper.
“Our 24/7-365 highly-connected culture increases employee fatigue, causing them to make more mistakes, especially when it comes to email.”
Behind phishing, unauthorised access was the second most common cause of cyber breaches in the UK last year, with 791 breaches reported to the ICO, said the CybSafe report. Other notable causes for breaches included 243 reports related to malware or ransomware, 64 related to hardware/software misconfiguration, and 34 related to brute force password attacks.