“Human behavior flows from three main sources: desire, emotion and knowledge” – Plato
The biggest factor in determining where breaches stem from is rooted in human behavior. Influenced by culture, attitudes, emotions, values and ethics, human behavior is the “X” factor that companies must account for. The question enterprise IT teams should ask themselves isn’t “which security solution do we like best” it’s “which security solution best factors in human behavior.” After all, it is humans who are creating and sending malware to enterprises, humans who are misusing company data and losing their mobile devices, humans who need to be educated on data protection. Humans are the common denominator of all security breaches. Address the human factor, and you’ll be on your way to effective data protection.
The image below is from the 2014 California Data Breach report. It paints a clear picture of breach types by industry category in California. In analyzing this data, I couldn’t help but think that each industry must have their own set of insider and outsider behavioral characteristics as well. I mean it makes perfect sense. While there are certainly factors that span across all humans (i.e dislike of enemies, love for friends & family), some are based on an employees work day, or a hacker’s knowledge of, or personal feelings toward a particular industry. There must be behavioral differences between industries.
I decided to dig a bit deeper, and look into what human factors might be leading to breaches in the Finance and Healthcare industries to see if there was a direct relationship between behaviors and breaches. Here’s what I uncovered.
Sherlock Holmes meets security:
38% of financial breaches stem from malware and hacking attacks. This isn’t too surprising as cyber criminals are well aware that financial institutions hold the world’s most protected financial information. Checking and Savings account numbers being the most desired of it. What was more shocking was the fact that the Financial industry accounts for 58% of all “misuse” based security breaches. Finance professionals can be competitive (think about your friend that works on Wall Street, you know I’m right). This can cause them to take more risks with company data, downloading data, taking it home to work long hours, and not exactly abiding by company policies. This misuse of data introduces a good amount of risk to company data.
The “Trusted device” approach ends up biting these companies in the rear. As these devices travel outside company networks, cyber criminals bombard them with malware, and access the devices. Once employees re enter the company network, criminals scoot in undetected, under the guise of a “Trusted device.” For finance, more emphasis needs to be placed on educating employees on data security best practices.
An even clearer example of the affects of human behavior on security breaches can be seen in the Healthcare industry. Healthcare employees are extremely overworked, having to work long hours, sometimes at multiple healthcare facilities a day. Several institutions embrace BYOD, complicating this further. This is a culture that is a breeding ground for lost mobile devices, which make up 68% of all healthcare breaches. Criminals also know that healthcare organizations are often functioning on low budgets, preventing them from staying up to date with security’s newest technologies and are more likely to have weak security in place. Organizations functioning within the healthcare industry should address the problem of lost mobile devices ASAP.
Wrapping things up:
It’s important to realize that in most cases it’s not an angry employee trying to get back at a company for laying them off. This isn’t to say that there’s no risk from angry employees, there is. With 45% of ex employees still having access to confidential data, it’s a real possibility. But for the most part it's the busy workday, misuse of data and lack of security education that opens the door to security breaches. Companies need to make a habit of updating employee access on a regular basis, ideally as soon as an employee departs. Single sign-on systems do a great job of alleviating this issue.
If this isn’t convincing enough, I urge you to conduct your own mini-experiment. Find a company that has been breached in the past (hopefully not yours) and spend a few minutes thinking of the human factors that could have led to it. I’m willing to bet that you’ll find a connection.
Product Marketing Manager @Bitglass