Employee errors cause most data breaches: Here’s how CISOs can take back control

Benjamin Redfield

Employee errors and misdeeds can account for 52% of data breaches, according to a study published in SC Magazine. Employees are often accessing unknown networks or saving data to Dropbox-type storage, and their devices are doing double duty for personal use. Data has moved beyond the control of the cybersecurity team.

This was recently highlighted by a CompTIA study reported in The Washington Times. Here, 200 unmarked USB sticks were placed in public spaces with a file and email address loaded on each. A staggering 17% of the sticks were picked up and plugged in, the file opened and either the link clicked or an email sent – including by at least one security professional.

The Washington Times cited our own research: By analyzing data collected from over 700,000 customer devices, MAX Risk Intelligence "determined that the average liability of a server equates to $301,098, with the average liability of a desktop computer clocking in at $48,843.” 

The report also found that:

  • 87% of desktops and laptops had unprotected credit card numbers on them
  • 36% have unprotected social security numbers

Read more in the MAX Risk Intelligence Data Breach Risk Brief 2015.

When ‘Cool Trumps Safe’ in your organization

Most employees mean well, but have not prioritized security. Sound familiar?employee-mistake.jpg

  • Mary in Marketing is too busy putting customer lists into an agency’s Dropbox to worry about sharing sensitive data.
  • Joe in Engineering doesn’t want to compromise speed to market and usability to add more security measures.
  • Raul in Accounting simply forgot to update his software and is missing the latest security patches.

Even the most advanced perimeter protections cannot control unsafe employee behavior that can open the door to malware, sensitive data, or otherwise compromise security. If they could, then companies with those protections would not be in the headlines.

As FBI CISO Arlette Harte put it best, for most employees when it comes to technology “cool trumps safe”.

How can you as a security leader possibly make employees accountable?

Making Security Stick

First, if you are sending security requests by email, the message may be getting lost. The average business user sends and receives 121 email messages a day, according to Radicati. So how can you get security requests to stand out?

How do you cut through the clutter? Take a page from Google, which customizes ads, news and articles to hold your attention. This is called “personalization”.

Next, to be truly effective over the long term, security must become a part of an organization’s culture. According to Harvard Business Review’s article Cultural Change that Sticks, “Prioritize the behaviors that will have the greatest impact on your company’s ability to implement its strategy. Choose ones that will be widely visible to others and are most likely to be emulated.”

So to have your security requests acted upon, you need:

  • to personalize the message
  • prioritize the most important actions to be taken
  • make it visible to others

Putting a unique dollar number on data breach risk creates an instant, effective connection with non-technical employees – and one that can be highly visible, measured and compared.

Employee Security Report Card: A personalized to-do list

MAX Risk Intelligence provides a one-click tool to scan employee desktops, laptops and mobile devices for:

  • Unprotected sensitive data like credit card numbers, social security numbers, health information and other personally identifiable information
  • Vulnerabilities
  • Access permissions

These threats are then weighted by an industry-standard breach cost to provide the device’s Security Number. The MAX Risk Intelligence Security Number is the unique, real-time cost if an individual device were to be breached.

 Within minutes, employees get personalized security report card with:

  • Their own Security Number
  • A list of the unprotected data on their device, with the files names where it resides
  • A list of vulnerabilities ranked by severity and with links to sites to fix them

_____________________________________________________________________

Which request would you be more likely to follow?

“All employees must run a virus scan”, or

“Your Security Number is $150,000. The average for your team is $10,000. The Security Number represents the cost if your device were to be breached. Here’s what you need to do now.”

What about?

"Your security number is $150,000. One of your Key Performance Indicators (KPIs) for the quarter is to reduce your risk to $10,000. Here’s how."

_____________________________________________________________________

Motivation: The million dollar laptop

By scanning and tracking individual devices, managers have the ability to integrate security targets into employee KPIs and provide incentives for reducing risk.

Or it may be even simpler. Does anyone really want the CEO to know they are the one with the “million dollar laptop?”

This is not an exaggeration. Our scanning has revealed desktops and laptops with a hundred million dollars worth of unprotected data and sever vulnerabilities. The highest to date is $300 million in data breach risk.

Find Your Own Security Number

The first step in understanding the motivitational power of the Security Number and report card is to get yours. You can find your Security Number right now with a free trial.