It is widely known in cybersecurity that the door to a data breach is often opened by employees. Sometimes even quite literally – as when end users are duped into allowing criminals to physically access computers. More frequently, the end user’s participation is unwitting; opening an infected email attachment, going to the wrong website, or leaving the office with an unencrypted laptop that is later stolen. We know this happens, but how often? In other words, in what percentage of breaches is an employee directly at fault?
Who Costs the Company More? Employees or Cybercriminals?Tweet
To answer this question, let’s look at the three ways in which an employee can contribute to, or cause, a breach:
- Intentionally and with malice (considered an “inside threat”)
- Unintentionally – without malice and sometimes without knowledge, including:
o opening an attachment that launches an infection
o allowing an unencrypted laptop or USB to be stolen
- Intentionally violating policy, but unintentionally causing a breach, including:
o Deliberately breaking the rules to solve what is perceived to be a greater problem, such as bypassing email security to email a too-large file – and sending it to the wrong external email address
o Taking Personally Identifiable Information (PII) offsite without it being encrypted, knowing there is breach potential
The reason to break these acts into separate categories is that some are more “discoverable” than others. It can take some pretty sophisticated forensics to determine which employee opened the email attachment that eventually gave cybercriminals control of the network. Even when companies are able to reconstruct these details, they often don’t share them. Thus we don’t always know when an employee assisted with an external hack. However, we do know how many (reported) data breaches occur because of employees losing data.
If we want to figure out the percentage of time employees are responsible for a breach, currently we only have this set of information to work with:
- Those that are direct cybercriminal hacks – and it’s anyone’s guess how many of these gained a foothold by way of employee mistakes
- Those that are directly attributed to employee error, malice or deliberate policy violation
However, analyzing these numbers can still yield some useful data. In fact the results get even more interesting if we break them down by industry, since it turns out that industries vary widely in terms of employee error rates. For example, the level of employee error appears to be much higher in Healthcare than in Education, and much higher in Education than in Defense.
From the beginning of 2014, a look at all reported breaches* in the US shows:
- 100% of Federal government and Defense breaches are caused by cybercriminal hacks
- 50% of Higher Education breaches are caused by cybercriminal hacks
- 20% of Healthcare breaches are caused by cybercriminal hacks
This means that at least 50% of Higher Education breaches and 80% of Healthcare breaches are directly attributable to employees violating policy. So why do the numbers vary so much by industry and what can we do about it?
Comparing these business sectors, there are three major components that appear to predetermine where a company falls in terms of percentage of employee breaches. They are:
- How often and in what ways employees interact with valuable data (or PII for private industry)
- How well educated employees are about cybercrime risks
- How well enforced security policies are
The Federal government, with the lowest employee error or theft rate (Snowden being considered an outlier) does an excellent job controlling all of these aspects because, in general, they only allow access to data on “need to know” basis, they mandate cybersecurity education, and they strictly enforce security policy.
Employee education is one of the key ways to diminish IT security breaches.Tweet
This also helps us understand why Healthcare employees are responsible for more data breaches: they handle PII more frequently than employees in other industries. This exponentially increases the opportunity for employees who are undereducated about cybercrime to do foolish things.
While we may not be able to easily affect the PII handling rate on a per industry basis, we have every reason to focus on the part of the problem which is eminently fixable: employee education. It only takes about 10 minutes to explain to someone what cybercriminals do with PII, why encryption matters and how the most common infection vectors work. Such education tools are widely available and free. The problem isn’t a lack of tools or resources; the problem is that very few organizations are willing to insist upon it.
For a webinar on this topic and other cybercrime trends see here.