We’re only human after all

It’s easy to focus only on the bad guys when it comes to cyber threats. In fact, it’s hard not to with a major event seemingly reported daily.  Take last year as an example, beginning with DDoS attacks targeting financial institutions, to the Chinese supposedly stealing the intellectual property of U.S. businesses, to the Adobe data breach that turned into a multi-network security risk and finishing with the Target breach just in time for the holidays.

As significant as these events are, however, for most businesses the biggest threats come from within – sometimes with malicious intent but often just by accident.

As the editor of Advisen’s Cyber edition of Front Page News (FPN), I can’t help but notice how frequently a breach of PII occurs as a result of human error. Whether it’s improperly disposing off physical records, mailing personal information to the wrong people, losing unencrypted flash drives and laptops or publicly posting confidential information on the Internet, it is carelessness, not bad guys, that’s often the culprit.

Like when the University of Chicago reported a “university error” that led to nine thousand plus university employee social security numbers being printed onto postcards and sent out to university faculty and staff.

So last Fall when a study by Forrester concluded that insiders were the leading source of breaches and that 36 percent were a result of careless employees, I can’t say I was surprised.

This got me thinking, can human error ever really be prevented? Of course through training, better communication and improved processes and procedures you can probably decrease the likelihood of an accidental data breach. In fact, security experts universally call for better employee education. But I have yet to see a study that quantifies the benefits. We’re human after all, and they’re called accidents for a reason.