Human Error Still The Cause of Many Data Breaches
With the incidence of reported data breaches on the rise, more than half of all C-suite executives (C-Suites) (53%) and nearly three in 10 Small Business Owners (SBOs) (28%) who suffered a breach reveal that human error or accidental loss by an external vendor/source was the cause of the data breach, according to a Shred-it survey conducted by Ipsos.
When assessing additional causes of data breaches, the report found that nearly half of all C-Suites (47%) and one in three SBOs (31%) say human error or accidental loss by an employee/insider was the cause.
What’s more, one in five C-Suites (21%) and nearly one in three SBOs (28%) admit deliberate theft or sabotage by an employee/insider was the cause of the data breach, compared to two in five C-Suites (43%) and one in three SBOs (31%) who say deliberate theft or sabotage by an external vendor/source caused their organization to suffer a data breach.
“For the second consecutive year, employee negligence and collaboration with external vendors continues to threaten the information security of U.S. businesses,” said Ann Nickolas, Senior Vice President, Stericycle, the provider of Shred-it information security solutions.
“New to this year however, is that the report revealed how deliberate sabotage by both employees and external partners are very real risks organizations face today. The consequences of a data breach are extensive and are not limited to legal, financial and reputational damage. As the report showed, data breaches can affect employee retention too.”
While the result of a data breach can have a variety of consequences on U.S. businesses, one of the most important factors is that a breach has an immediate effect on employee trust in an organization. In fact, one-third (33%) of the U.S. workforce say they would likely look for a new job if their employer suffered a breach of customer (31%) or employee data (35%).
What’s more, while nearly half of all consumers (47%) would wait to see how a business reacts to a data breach they’ve suffered before making up their mind about what to do, nearly one in four consumers (23%) would stop doing business with the company and nearly one-third (31%) would tell others about the breach, the Shred-it’s Ninth Annual Data Protection Report reveals.
Lack of training leaves employees unaware of information security policies and procedures
- When asked if their organization has a known and understood policy for storing and disposing of confidential paper documents, one in five (21%) of C-Suites admit they have a policy but that not all employees are aware of it and more than one in 10 (12%) of SBOs said the same.
- Three in 10 (30%) of SBOs admit that no policy exists for storing and disposing of confidential paper documents.
- When it comes to understanding policies for storing and disposing of end-of-life electronic devices, one in five C-Suites (21%) and SBOs (12%) say they have a policy, but not all employees are aware of it. Four in 10 (42%) SBOs say no policy exists in their organization.
Worries of a data breach grow
- 94% of C-Suites and 79% of SBOs agree with the statement that they believe the option to work remotely is going to become increasingly important to their employees in the next 5 years.
- However, 88% of C-Suites and 69% of SBOs agree with the statement that the risk of a data breach is higher when their employees work off-site than it is when they work at the office.
- One in six (16%) working Americans say their organization has suffered a data breach, at some point in the past.
U.S. businesses remain vulnerable
- Of the money their organization spends on data security, C-Suites say 59% is spent on digital security and 41% on physical document security, on average. SBOs say 56% is spent on digital security and 44% on physical document security, on average.
- One in 10 C-Suites (10%) and nearly one in 10 SBOs (9%) say they train their staff only once during their employment on their organization’s information security policies and procedures.
- Although the majority of C-Suites (88%) regularly train employees on how to identify common cyber-attack tactics such as phishing, ransomware, or other malware (malicious software), however, only slightly more than half of SBOs (52%) say the same.
- Around three in five (58%) working Americans have been targeted by phishing email or social engineering scams at work, of which eight percent (8%) claim to have been victimized by them.
Americans think their personal data and information is less secure than it was 10 years ago
- Consumer confidence in data security is low with more than half (60%) believing their personal data and information is less secure than it was 10 years ago.
- With those concerns, it’s no surprise that 83% of consumers say digital data security is a top priority when choosing who to do business with.
- Additionally, nearly seven in 10 consumers (66%) do not trust that all digital data breaches are properly disclosed to consumers and not kept secret.
Vulnerable Software – The Gift that Keeps on Giving
Concerning the latest data breaches on record, this past May was rather noteworthy. A host of organizations from around the world announced in fact, that they had experienced a data breach. From online retailers, travel booking sites, and high-tech startups, to social sharing sites, healthcare billing firms, and even title insurance companies, the long list of victims just got longer. Although there are many ways that organizations get breached, the end result is always the same. Consumers are negatively impacted, organizations lose their customer’s confidence, costly investigations take place, fines are possibly imposed, and attackers just found a way to fund their next operation. This endemic dilemma should have everyone asking, “What is it going to take to eliminate the root cause of this problem?”
Breaches come in all shapes and sizes, yet their causes usually come from a small number of different influences. For example, the simplest form of a breach is caused by losing the data. Most would be surprised by the number of lost or stolen laptops, smartphones, storage devices, and other pieces of media occurring throughout the world on a daily basis. The statistics are somewhat shocking. However, is this the primary cause of data breaches? Unfortunately, it’s not.
The second easiest way to gain access to private data has to do with stumbling across overlooked databases that unintendedly found their way to their internet, likely due to human oversight. In fact, some of the recorded data breaches have been caused by someone leaving a database wide open to the masses, and to attackers the like. However, this error is also not the primary cause of most data breaches observed today.
The loss of devices and the case of databases being left open to the public are simply experienced as part of the “human element”. Meaning that no many how times humans are told, trained, instructed, cautioned, warned, etc., these errors will continue to be made. Everyone agrees, humans are simply prone to making errors, no matter how easy it would be to avoid them. However, there is a primary cause of data breaches today that could be avoided altogether and by doing one simple thing – build more-secure software.
From the breaches mentioned in the first paragraph, in this case, none of them were due to someone losing a laptop, or from somebody forgetting that a database was left wide open to the internet. These types of errors don’t normally lead to mega-breaches, they’re somewhat uncommon, and no matter how many times people are warned, they will likely continue to happen. Instead, every breach mentioned herein was likely the result of an attacker exploiting a software vulnerability in a piece of code itself, or how that code was implemented.
There is no doubt that software developers (who happen to be human) will continue to make coding errors that lead to exploitable vulnerabilities within the code they develop. Although some believe it’s simply due to untrained or uncaring developers, it’s actually due to a nearly-immeasurable number of reasons. A simple analogy would be to compare “why errors find their way into code” vs. “why a person caught a cold”.
No matter how many times people try to determine “why they caught a cold”, the prospect of finding that one reason each and every time, is nearly impossible. The possibilities as to why a person caught a cold are nearly impossible to quantify. In addition, no one goes to the cold-reliever isle in the pharmacy trying to figure out why they caught a cold. Instead what they are looking for is a remedy for the cold, and relief for the symptoms they are experiencing.
Regardless of the reason why coding errors (leading to vulnerabilities) find their way into code, is there a single solution that can remedy the situation every time? Yes, there is. Application Security Testing (AST) solutions that integrate static testing (SAST), run-time testing (IAST), software composition analysis (SCA), and secure coding education (SCA) for developers, available in a single platform, are a complete reality today. Organizations must address their known and unknown vulnerabilities during the development process, before their applications reach the internet. As a result of this effort, your organization will significantly reduce their risk of software exposure, and considerably narrow the attack surface they face daily.
To learn more about Checkmarx Software Exposure platform and the solutions mentioned above, you can request a demo here.
Wi-Fi in the office — convenient but risky
Almost every office has a Wi-Fi network today, and sometimes more than one. Who wants to connect laptops with a cable? And forget about smartphones and tablets! However, a wireless network can be a weak point in your IT infrastructure.
Not all companies use complex and unique passwords for their wireless networks, and few bother to disable the broadcasting of the network’s name. And not many at all limit the power of the WI-Fi signal to prevent network connections from outside of the office. Thus, usually little prevents a potential attacker from hanging around near the office and trying to get into a corporate network through a Wi-Fi connection.
Performing a simple dictionary attack on the router’s login takes just a few seconds. Hacking complex password combinations takes more time, unless the attacker is in a hurry, it is quite possible. However, that’s not always necessary, because with some routers, an attacker can simply use vulnerabilities in the firmware.
Researchers regularly detect vulnerabilities that can allow malefactors into a network, bypassing your Wi-Fi router’s passwords and other protective mechanisms. In some cases they can get superuser rights on the device. Usually developers are quick to patch those vulnerabilities. The trouble is that many organizations do not install patches in a timely manner, especially when doing so involves reflashing firmware.
Many companies use different Wi-Fi networks for employees and guests. This is a reasonable measure: on the one hand, customers and other visitors to the office can connect to the Internet; on the other hand, they will not have access to the corporate network and internal resources. However, guest Wi-Fi can work against you.
Getting a password for a guest network is easy enough — that’s the idea. But in some cases — if the network is improperly configured — it can let guests reach some elements of the corporate infrastructure.
Even with the correct network configuration, your employees can unwittingly put themselves in jeopardy. Suppose that one of them wanted to access a network resource blocked by corporate policy. Without thinking twice, he connects a laptop with confidential data to the guest network. Now an attacker lurking in the same guest network can try to perform a man-in-the-middle attack and infect his laptop with malware.
How to make corporate malware less vulnerable
We believe Wi-Fi networks are still worthwhile; they do, however, need security-oriented approaches for both device and corporate-network configuration.
- Update the firmware of Wi-Fi routers and access points, and keep them up to date. Manufacturers are constantly fixing vulnerabilities; don’t assume if something works, that means it’s secure.
- Set a unique, long, complex password to access Wi-Fi. Your employees will need to enter it only once on each device, and strong passwords make hacking a network more complicated.
- Limit signal strength so that your network is not available from outside of the office.
- Hide the name of the network to make it harder to find.
- Choose a name for the network that is not obvious or easily guessable — and keep the router model number out of it, so attackers can’t use that to search for a known vulnerability.
- Segregate the guest network so guests do not have access to internal resources. You may have to deprive your visitors of some convenience (such as the ability to print a document on your printer), but you will significantly reduce the risk of data leakage.
- Use a reliable security solution so that even if an attacker breaches your network, they will not be able to cause significant damage to workstations and servers.