With ample research to suggest that human error is the biggest cause of data breaches, we have to ask, if this is really surprising? The proliferation of data loss stories in the media proves that the problem of human error, or indeed, human nature, isn’t going anywhere so isn’t it time that enterprises woke up, smelled the coffee and invested in technologies that protect itself from its employees?
The USB research, by internet security firm ESET found that on average, four USBs are left in dry cleaners every year, equating to 22,266 USBs nationwide. Devices were only returned to their rightful owners 45% of the time.
There were more amusing things left such as viagra, condoms, and dentures, but these are significantly less likely to breach your corporate network. Nevertheless, it shows human nature’s propensity to make mistakes.
Human error is the number one cause of data breaches
There is broad agreement within the industry that human error is the cause of most data breaches. The IT Policy Compliance Group says 75% of ALL data loss is due to human error. The Aberdeen Group says 64%, CompTIA said 52% of the root cause of security breaches are caused by human error and most recently, Databarracks said the top cause of data loss was employee accident (24%).
Protect yourself from your employees
As it is human nature to make mistakes, and those mistakes are very clearly the top cause of data breaches, enterprises need to start protecting themselves from human error. They need to put themselves in a position where it doesn’t matter how many mistakes are made, or USBs get lost. To do this, they need both the right technologies and the right culture.
The kinds of technology that can help
Opting for technology solutions which includes location tracking means that the lost USB can often be found after a loss. Location tracking technology also allows the enterprise to limit access on an adhoc basis or via rules, so that data is only available within certain geographic zones.
One of the many issues with lost USBs is not knowing or not being able to prove to the ICO what was on, or not on, the device. With file auditing, the enterprise can see all the files that are added, copied, printed or deleted from all devices, at all times.
On its own, encryption isn’t enough but in combination with technologies like those above, it can be a good solution for the IT security department’s toolbox. Beware of difficult encryption that end users will find ways to disable.
The ability to delete data remotely is a very powerful one. Beware of the technologies you choose here though as some devices can only have data wiped with connected to the internet which of course, a USB may or not ever be connected to.
There are two common themes with these types of technologies.
Firstly, they take control away from the end-user and put it firmly in the hands of the enterprise.
Secondly, as well as helping the enterprise monitor its data generally, these technologies also serve to help deal with the scenario of a USB or mobile device being lost so there is something you can do should the inevitable mistakes happen.
For any data security technology to be successful, it must be introduced in an environment that includes training on how to handle corporate data not with a blame culture, but instead one that promotes that reporting a data breach to a line manager is a good thing and not something that will get them fired.
source: Norman Shaw