Study: Most Companies Fault Employees for Data Breaches

Cupertino, Calif. — March 5

Employee negligence or maliciousness is the root cause of many data breaches, according to a report released by Ponemon Institute and sponsored by Trend Micro Inc., a cloud security firm.

More than 78 percent of respondents blame employee behaviors, both intentional and accidental, for at least one data breach within their organizations over the last two years.

The top three root causes of these breaches are employees’ loss of a laptop or other mobile data-bearing devices (35 percent), third party mishaps (32 percent) and system glitches (29 percent).

Alternatively, nearly 70 percent of those surveyed either agree or strongly agree that their organization’s current security activities are not enough to stop a targeted attack or hacker, according to the study, which surveyed 709 IT and IT security practitioners in the United States.

The report reveals that even when employees make unintentional mistakes, most of these breaches are only discovered accidentally, according to 56 percent of respondents. Only 19 percent of respondents say that employees self-reported the data breach, making it difficult to promptly resolve the breach. Thirty-seven percent say that an audit or assessment revealed the incident and 36 percent say that data protection technologies revealed the breach.

SMBs are at a greater risk of their employees mishandling data than enterprises, according to a separate analysis of the overall respondents from organizations with fewer than 100 employees. Overall, SMBs have a slightly higher rate of data breaches — 81 percent versus 78 percent — due to employees mishandling of sensitive data.

SMB employees were reported to be more likely to engage in “risky” behavior: Fifty eight percent of them will or have already opened attachments or Web-links in spam, versus 39 percent from enterprises.

The survey also found that more than half (55 percent) of SMB employees were likely to visit off-limit websites, compared to 43 percent of enterprise employees.

The majority (65 percent) of smaller organizations say that, in general, their organization’s sensitive or confidential business information is not encrypted or safeguarded by data loss protection technologies. Further, employees are less likely in smaller organizations to spend time on data protection or have the proper technologies in place to thwart data loss — 62 percent of organizations believe they are not protected. Of these respondents, 65 percent say it is because technologies are too expensive and 54 percent say they are too complex.

Source: Trend Micro Inc.