What Is The Biggest Threat To Information Security?
When we think of security risks, often the first thing that pops into our head are the threats we face from hackers. However, based on a recent survey from the Ponemon Institute the reality is that the most significant threats to our data security aren’t from hackers, but our own employees.
According to their report “2015 State of the Endpoint Report: User-Centric Risk” “The biggest problem identified in this year’s research is the negligent or careless employee with multiple mobile devices using commercial cloud apps and working outside the office.”
Negligent employees pose an even bigger risk to our data security than external threats. Most of the data breaches identified in this survey were “internal and unintentionally caused by employees who were negligent, careless or ignored security policies.”
“While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious,” said Larry Ponemon, chairman of the research firm, in a recent interview. “Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22% since the first survey.”
The biggest threats to endpoint security identified in the survey were:
- Negligent or careless employees who do not follow security policies – 78%
- Personal devices connected to the network (BYOD) – 68%
- Employees’ use of commercial cloud applications in the workplace – 66%
Other findings in the survey that are of interest:
- The number of employees and others using multiple mobile devices in the workplace has increased – 65%
- The number of insecure mobile devices used in the workplace has increased significantly – 45%
- Malware infections are more stealthy and difficult to detect – 45%
- More employees are working offsite and using insecure WiFi connections – 38%
Unfortunately, an information security team can’t simply install an appliance to solve this behavior. They can raise awareness and educate staff as to security policies and the associated risks if they’re ignored.
Preventing an employee-caused data breach can be incredibly difficult. But there are several ways to get a better handle on the issue:
Routine reminders and training can go a long way to assure that everyone understands that information security is everybody’s responsibility. Make sure everyone is familiar with the basics.
- What are the established security policies, and that
- Removable storage devices (USBs, disks, etc.) are easily lost or stolen.
- Emails containing sensitive data should be encrypted so if they’re sent to the wrong person they remain protected, and
- Third-party file-sharing and storage websites (Dropbox, Google Drive, etc.) are not secure.
Assess the risk
Identifying data storage and distribution practices are the first step to uncovering any vulnerabilities that could exist.
- Have there been any breaches in the past? If so, what were the causes?
- How confidential files are typically transferred and stored?
- What are the common practices accessing mobile information?
Regularly review regulatory compliance requirements
Many organizations are required to audit and report on their data security initiatives to remain compliant. As security tools mature there is the opportunity to implement routine security health checks on people, processes, and technologies.
Secure and manage data in motion
Data that is being transferred is at risk of being lost, stolen, or otherwise compromised from internal breaches and human error. The security team must implement systems that can effectively secure and manage data in motion. Transparency is important. Visibility into what was sent, how it was sent, to whom it was sent, and who accessed it is imperative.
Data security will always be a priority. Whether the risk is internal or external, diligence is required. If you would like to find out how Mainstream can help protect your information, please give us a call @ 501.801.6700 or send us an email.