Symantec and the Ponemon Institute released the 2013 Cost of Data Breach Study: Global Analysis yesterday. The findings aren’t that surprising. In fact, they are consistent with what other studies reveal – data breaches are caused by human error or system error. It is like companies are opening the doors to hackers and saying, “Come on in!” Well, surely they aren’t doing that – I hope they aren’t doing that – but where these breach studies consistently find problems, the mistakes happening inside the company, do raise the question of how seriously companies are taking security.
One of the points that kept getting stressed at the CEIC 2013 conference I attended a couple of weeks ago was that the Internet was not developed with security baked into it. Security was never even a consideration because the original developers didn’t think this Internet thing would go beyond the very small group that started it. Adding security now, these experts said over and over, is tough because the Internet wasn’t built for security.
Maybe not. But that doesn’t mean people can’t learn how to be smarter about the way they use the network and make every effort to avoid the potential for security leaks and data breaches. Yet, that’s not happening, and in the end, that’s costing businesses of all sizes a lot of money. As was pointed out at TechTarget’s SearchSecurity site:
The study, sponsored by Symantec, found that the cost per lost record in an average breach incident increased modestly, from $130 to $136. Germany and U.S. organizations had the highest costs, $199 and $188, respectively.
Now, to give credit where credit is due, the total cost per data breach incident was down slightly at $5.4 million, and the reasons given are the rise in hiring CISOs who have enterprise-wide responsibilities and better incident response plans. Still, as Larry Ponemon, chairman, Ponemon Institute, said in a release:
Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22 percent since the first survey.
And, in fact, what the report found was that human errors and system problems account for 64 percent of data breaches in the global study, while prior research shows that 62 percent of employees think it is acceptable to transfer corporate data outside the company and the majority never delete the data, leaving it vulnerable to data leaks. This illustrates the large extent to which insiders contribute to data breaches and how costly that loss can be to organizations.
Again, that companies are hiring security personnel and instituting more security measures is a good thing, but so much of it comes down to that very basic premise – security education needs to be stressed to every single employee. They need to understand why their behavior matters. You can’t eliminate human error. The trick is figuring out how to lessen it. As most employees have been using the Internet and computers for years, if not decades, by now, there are fewer excuses for them not understanding better security practices.