However, while most commentary on IT security breaches focuses on systems failures, in actuality human failures are often to blame.
Employees Cause Data Headaches
More than 78 percent of 709 IT and security practitioners who participated in a recent survey sponsored by web security provider Trend Micro blame employee behaviors, both intentional and accidental, for at least one data breach within their organizations during the past two years. The top three root causes of these breaches are employees' loss of a laptop or other mobile data-bearing devices (35 percent), third party mishaps or flubs (32 percent) and system glitches (29 percent). Alternatively, nearly 70 percent of those surveyed either agree or strongly agree that their organization's current security activities are not enough to stop a targeted attack or hacker.
Furthermore, the report reveals that even when employees make unintentional mistakes, 56 percent of respondents say most of these breaches are only discovered accidentally, One in five (19 percent) of respondents say that employees self-reported the data breach, making it difficult to promptly resolve the breach. Thirty-seven percent say that an audit or assessment revealed the incident and 36 percent say that data protection technologies revealed the breach.
SMBs Suffer Even Worse Security Problems
According to a separate analysis of the overall respondents from organizations with fewer than 100 employees, SMBs have a slightly higher rate of data breaches (81 percent compared to 78 percent) due to employees’ mishandling of sensitive data. SMB employees were reported to be more likely to engage in "risky" behavior: 58 percent of them will or have already opened attachments or web links in spam, compared to 39 percent from larger enterprises, and 77 percent will or have already left their computer unattended, compared to 62% from their larger counterparts. The survey also found that more than half (55 percent) of SMB employees were likely to visit off-limit websites, compared to 43 percent of enterprise employees.
And about two-thirds (65 percent) of smaller organizations say that, in general, their organizations' sensitive or confidential business information is not encrypted or safeguarded by data loss protection technologies. In addition, employees are less likely in smaller organizations to spend time on data protection or have the proper technologies in place to thwart data loss: 62 percent of SMBs believe they are not protected. Of these respondents, 65 percent say it is because technologies are too expensive and 54 percent say they are too complex.
Addressing the Human Factor
These results mean that especially when they are providing managed security services for SMBs, MSPs must address the human factor in their offerings. At the simplest level, effective filters should block employees accessing inappropriate or dangerous websites or emails on any device which connects to the corporate network. And any device which connects to the corporate network should automatically go into “safe” mode when left inactive for more than a brief period of time, with encrypted password protection.
At a more complex level, security systems should regularly run exception-based reports that automatically raise flags when any device connecting to the network shows an abnormal or prohibited location or activity. And of course, these managed services must be delivered in a manner that smooths out complexities and at a price affordable to most SMBs.