It’s normally an employer’s responsibility to set up a security policy, so it’s interesting to find out that it’s the employees that bear some of the blame for security breaches.
A recent study found that 48 percent of employees were unfamiliar with at least some details of their company’s security policy, and another 8 percent admitted to completely disregarding the policy altogether, according to CompTIA’s 11th Annual Information Security Trends.
And in its 2013 report, the Identity Theft Resource Center found that employee error or negligence accounted for 9.2 percent of the data breaches that happened.
Meanwhile, businesses are moving into new technology models and aggressively pursuing them because there is a benefit, Seth Robinson, the director of technology analysis and market research at CompTIA, said.
With that transition, businesses aren’t fully realizing the impact and destruction to security, he said. In addition to companies not fully understanding how to use the cloud on the back end versus installed equipment, many think hosted solutions are the same as using the cloud.
And, mobility is changing the way many employees work are accessing the data in the cloud or on-premises systems.
Robinson said all of the above are major disruptors that can end up yielding new security implications.
To that point, CompTIA’s findings actually tell an interesting story.
Employers are concerned about malware and hacking – as well they should be – but those aren’t the only things taking place, and not really the most important thing.
“What companies should be equally concerned about, yet was at the bottom of the list, was human error,” Robinson said. “They were the least concerned about that, but when we turned the question around, we found that human error was accounting for more than 50 percent of security instances.”
So, human error is important when it comes to security breaches, but companies didn’t have a high level of concern. It’s an interesting conundrum.
Robinson had a few theories: 1) Perhaps the companies had already done all they could around human error, though he didn’t think that was the case. 2) They weren’t letting security issues keep them from pursuing those new technologies. 3) Companies aren’t sure what to do about human error.
He tends to go with No. 3, saying that when companies want to protect their data, they will purchase security like a firewall. But when faced with human error, they may wonder what technology to buy to prevent that, and there are a few products out there, but the answer is really education.
“Companies are trying to make sure they are answering the security aspect, but end up doing it after the fact,” he said. “It’s good that it is happening, but that’s where companies are painting themselves into a corner.”
While education is key, there are good and better ways to approach it. Robinson has seen companies do things from the standard annual online class to more interactive lessons.
One of his examples was a company that set up a fake phishing site and email, sending it out to a group of employees and monitoring how many of them clicked on it. Then the security officer provided education around the exercise, including some of the signals that could have told the employees that it was a phishing email, and what to do when an employee receives an email like that in the future.’
Some time later, the IT department would send another phishing email to a different group of employees and measure again who is clicking on it to see if the education had an effect.
“Companies who have done this are finding that approach to be effective and get people asking more questions and being more cautious with the data they are handling,” Robinson said.
Ultimately, both the employer and employees want to get business done, but each are faced with the scenario of having a flexible work environment while also keeping it secure.