12 May Employees top cause of security mishaps
‘Technical security solutions do not stop employees from being phished, failing to review logs, or improperly configuring servers’
When it comes to healthcare data security breaches, law firms can offer firsthand insight into what they see from their clients. A new report sheds light on the No. 1 cause of security incidents for which companies sought legal guidance.
The report, conducted by the BakerHostetler privacy and data protection team, is based on more than 200 security incidents the firm advised clients on during 2014. And what they found from working with their 160 clients that experienced data security events? The lion’s share of them were caused not by cyberattacks or lost unencrypted devices but instead by good old-fashioned human error.
[See also: Healthcare security: Adapt or die.]
Working with a forensic firm, BakerHostetler officials found employee negligence topped the list of five biggest causes of security lapses, accounting for 37 percent of them. Device theft by outsiders placed No. 2 on the list at 22 percent, followed by employee theft at 16 percent; malware at 14 percent and phishing at 11 percent.
“While sophisticated software and monitoring/detection systems have become more widely adopted, our data suggests that many security breaches still result from low-tech missteps,” said Gerald Ferguson, co-leader of BakerHostetler’s privacy and data protection team, in a press statement. Employee training, he added, needs to be better emphasized, in conjunction with advanced security infrastructure.
All told, a company’s employees are responsible for a whopping 53 percent of all events.
“Sure, encrypting portable devices can help in cases where employees leave devices in unlocked cars, but technical security solutions do not stop employees from being phished, failing to review logs, or improperly configuring servers,” BakerHostetler officials wrote in the report. “Companies must match security solutions that provide defense-in-depth with detection capabilities as well as employee training and awareness driven by the right ‘tone from the top’ and appropriate information security policies and procedures.”
Read full article>>