Human Error, Not Hackers Cause Most Data Breaches

Sophisticated cyber-attacks on company systems may get all the attention, but the most common cause of data breaches isn't hackers; it's usually little more than simple human error.

According to a recent study by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association, data breaches most commonly stem from negligence by rank-and-file employees: laptops left in taxis, smartphones forgotten on a restaurant table, or misplaced thumb drives. In fact, the most common cause of data breaches—lost paper files—is decidedly low tech, the survey finds.

Of the 450 compliance and ethics professionals surveyed, 38 percent said lost paper files caused their organization's last data breach, and 27 percent said the latest data breach was caused by a misplaced portable memory device. Only 11 percent of respondents blamed hackers for their organizations' security breaches.

“The survey shows that a majority of data breaches have nothing to do with software vulnerabilities,” says Roy Snell, chief executive officer of the SCCE and HCCA. Adding anti-virus and intrusion-detection software won't mitigate most data breaches as effectively as simply putting stronger internal controls and employee training in place, he says.

Forensic experts say that companies are beginning to wake up to this reality. “Organizations that experience these data breaches are realizing it's not really an ominous cyber problem; it's actually a people problem,” says Shane Sims, director of PwC's advisory forensics practice and a former special agent at the Federal Bureau of Investigation.

For example, a newspaper journalist recently found sensitive medical records for more than 67,000 residents—including names, Social Security numbers, and medical diagnoses—in a public dump. As a result, medical billing company Goldthwait Associates and four pathology groups agreed last month to pay a collective $140,000 fine to the Massachusetts Attorney General's office for the mistake, which violates the Health Insurance Portability Accountability Act. The law requires such documents to be disposed in a way that destroys the information, such as shredding.

The stakes for preventing such careless handling of sensitive data has never been higher, particularly in the healthcare industry. Regulators have recently added new privacy and security protections for health information under HIPAA and significantly increased penalties for non-compliance.

Outside the healthcare sector, while no federal data security law exists, some states—California, Connecticut, Maryland, Massachusetts, Nevada, Oregon, and Rhode Island—have enacted laws that require companies to implement and maintain reasonable security measures to protect state residents' personal information from being compromised.  

Other Vulnerabilities

Employee negligence is only part of the internal threat to data security. Companies are also vulnerable to intentional acts, where employees abuse their access to information. The most serious cases include situations where employees are colluding with organized crime groups, unscrupulous competitors, or those looking for an inside-information trading edge and provide sensitive information.

These groups will target particular types of information—such as trade secrets or intellectual property, says Sims, and gain access through blackmail or bribery. Those are the threats that become “very hard to control,” he says.

One effective measure to mitigate internal threats of a data breach is to continuously monitor the network, computer systems, and the data for activity, says Sims. Another preventative measure is to enforce access controls, limiting access to sensitive information to those who need it.

“The survey shows that a majority of data breaches have nothing to do with software vulnerabilities.”

—Roy Snell,

Chief Executive Officer,

SCCE, HCCA

Sims notes that companies traditionally have taken an “outside-in approach” to data breach prevention by securing the company's perimeter and interconnectivity to the Internet. Over the next few years, however, forensic experts agree that security measures will start to take an “inside-out approach.” With this approach companies track where data is created and where it flows, such as when it is stored on a laptop or when it moves outside the firewall.

“It's really about rethinking security,” says Kelly Bissell, a principal at Deloitte who leads the firm's Information and Technology Risk Management practice. Security is more than just being compliant with rules and regulations; security is about taking a risk-based approach and figuring out how to protect the company's most sensitive data, Bissell says. “If they adopt that mindset—not from a security view but a business view—that's a much better approach,” he says.

More companies today are also consulting with their boards on security risks. As recently as three or four years ago, boards of directors were not all that concerned with data security, says Bissell. “Today, I can't think of one that is not concerned with it,” he says.

Know where all sensitive data is located.  “If you don't know where it is, you don't stand a chance at preventing a data breach,” says Sims. Only after a company knows where its data is located can it then began to think about how to secure it, he says.

Follow a data retention policy with a plan to securely delete or dispose of unneeded data. “We're seeing lot of breaches in which the sensitive data that was compromised was obsolete,” says Danny Miller, national cyber-security practice leader at Grant Thornton.

“It's prudent to ask, ‘do we really need this data—and how long do we need to retain it?'” says Snell.

Another safeguard is to classify data by distinguishing between information that can be made publicly available versus information that is for internal communications only, senior management only, or divisional only, says Miller.

Incident Response Plan

When a breach does occur, having a practical response policy in place can help to minimize the severity of the breach or ward off others from occurring. “It's not a matter of if you're going to have a breach or an incident, it's when,” says Miller.

Some companies might not be learning from their mistakes, the survey indicates, leading to multiple data breaches. According to the SCCE survey, 37 percent of respondents said they've suffered more than one data breach, 17 percent reported two or three incidents, and 20 percent reported four or more.

DATA BREACH DATA

The charts below are from the Society of Corporate Compliance and Ethic's “Data Breach Incidents & Responses” survey.

How many data breaches has your organization suffered in the last year?

What was the source of the last data breach your organization suffered?

Source: Society of Corporate Compliance and Ethics.

A common mistake with implementing incident response plan policies, says Sims, is that companies often make them so lengthy and complex that no one can retain the information much less execute on it in the event of an incident. “Keep it short,” he advises.

An effective incident response policy should not exceed 30 pages.  It's more of a framework that allows flexibility in the organization, given that the IT environment is constantly changing and the location of the data is constantly changing.

Scenario planning can also help companies prepare for how to respond to a data breach. Perform mock breaches so that each person knows what their department's roles and responsibilities are in the event of a breach, says Miller.

Don't jump into a response plan prior to knowing exactly what happened, say data security experts. “What happens during that rush is that the investigation has not unfolded fully, and the full scope of a threat activity has not been identified,” says Sims. As a result, the company unknowingly fails to contain all the data that's been compromised, he says.

“You have to have the patience to let the investigation unfold,” says Sims. If not, the odds are that the threat actor will continue to have access to that sensitive information. Another potential problem of reacting too quickly is that companies could falsely alert customers or others that their personal information has been compromised when it hasn't.

Also, to keep in mind: Data breach notification laws generally require companies to notify consumers whose personal information has been compromised by a security breach “in the most expedient time possible” or “without unreasonable delay.” Only four states—Alabama, Kentucky, New Mexico, and South Dakota—have no such laws.