Employees top cause of security mishaps

'Technical security solutions do not stop employees from being phished, failing to review logs, or improperly configuring servers'
By Erin McCann
11:03 AM
Snooping employees

When it comes to healthcare data security breaches, law firms can offer firsthand insight into what they see from their clients. A new report sheds light on the No. 1 cause of security incidents for which companies sought legal guidance.

The report, conducted by the BakerHostetler privacy and data protection team, is based on more than 200 security incidents the firm advised clients on during 2014. And what they found from working with their 160 clients that experienced data security events? The lion's share of them were caused not by cyberattacks or lost unencrypted devices but instead by good old-fashioned human error.

[See also: Healthcare security: Adapt or die.]

Working with a forensic firm, BakerHostetler officials found employee negligence topped the list of five biggest causes of security lapses, accounting for 37 percent of them. Device theft by outsiders placed No. 2 on the list at 22 percent, followed by employee theft at 16 percent; malware at 14 percent and phishing at 11 percent. 

"While sophisticated software and monitoring/detection systems have become more widely adopted, our data suggests that many security breaches still result from low-tech missteps," said Gerald Ferguson, co-leader of BakerHostetler's privacy and data protection team, in a press statement. Employee training, he added, needs to be better emphasized, in conjunction with advanced security infrastructure. 

All told, a company's employees are responsible for a whopping 53 percent of all events.

"Sure, encrypting portable devices can help in cases where employees leave devices in unlocked cars, but technical security solutions do not stop employees from being phished, failing to review logs, or improperly configuring servers," BakerHostetler officials wrote in the report. "Companies must match security solutions that provide defense-in-depth with detection capabilities as well as employee training and awareness driven by the right 'tone from the top' and appropriate information security policies and procedures."

[See also: Criminal attacks become No. 1 cause of data breaches.]

These findings, which compiled data from client cases and forensic firms across various industries, contrast with the recently published annual Ponemon Institute report on healthcare data breaches, which placed cyberattacks as the No. 1 cause of data breaches in 2014.

When the privacy and data protection team broke the numbers down by industry, there were also some interesting findings in the healthcare realm. For instance, security incidents in the healthcare industry were the most frequent, above all other industries. This didn't come as a huge surprise to officials, considering the HITECH breach notification requirements. But the severity of these breaches were significant.

Firm officials also identified the average amount of time it took for security missteps to be discovered, and the number underscored a huge opportunity for improvement. On average, it took organizations 134 days from when an event had occurred to time of detection.