Cybersecurity

Who Costs the Company More? Employees or Cybercriminals?

It is widely known in cybersecurity that the door to a data breach is often opened by employees. In what percentage of breaches is an employee directly at fault?

Cynthia James
September 5, 2014

It is widely known in cybersecurity that the door to a data breach is often opened by employees. Sometimes even quite literally – as when end users are duped into allowing criminals to physically access computers. More frequently, the end user’s participation is unwitting; opening an infected email attachment, going to the wrong website, or leaving the office with an unencrypted laptop that is later stolen. We know this happens, but how often? In other words, in what percentage of breaches is an employee directly at fault?

Who Costs the Company More? Employees or Cybercriminals?
Tweet

To answer this question, let’s look at the three ways in which an employee can contribute to, or cause, a breach:

Intentionally and with malice (considered an “inside threat”)
Unintentionally – without malice and sometimes without knowledge, including:

o opening an attachment that launches an infection

o allowing an unencrypted laptop or USB to be stolen

Intentionally violating policy, but unintentionally causing a breach, including:

o Deliberately breaking the rules to solve what is perceived to be a greater problem, such as bypassing email security to email a too-large file – and sending it to the wrong external email address

o Taking Personally Identifiable Information (PII) offsite without it being encrypted, knowing there is breach potential

The reason to break these acts into separate categories is that some are more “discoverable” than others. It can take some pretty sophisticated forensics to determine which employee opened the email attachment that eventually gave cybercriminals control of the network. Even when companies are able to reconstruct these details, they often don’t share them. Thus we don’t always know when an employee assisted with an external hack. However, we do know how many (reported) data breaches occur because of employees losing data.

If we want to figure out the percentage of time employees are responsible for a breach, currently we only have this set of information to work with:

Those that are direct cybercriminal hacks – and it’s anyone’s guess how many of these gained a foothold by way of employee mistakes
Those that are directly attributed to employee error, malice or deliberate policy violation

However, analyzing these numbers can still yield some useful data. In fact the results get even more interesting if we break them down by industry, since it turns out that industries vary widely in terms of employee error rates. For example, the level of employee error appears to be much higher in Healthcare than in Education, and much higher in Education than in Defense.

From the beginning of 2014, a look at all reported breaches* in the US shows:

100% of Federal government and Defense breaches are caused by cybercriminal hacks
50% of Higher Education breaches are caused by cybercriminal hacks
20% of Healthcare breaches are caused by cybercriminal hacks

This means that at least 50% of Higher Education breaches and 80% of Healthcare breaches are directly attributable to employees violating policy. So why do the numbers vary so much by industry and what can we do about it?

Comparing these business sectors, there are three major components that appear to predetermine where a company falls in terms of percentage of employee breaches. They are:

How often and in what ways employees interact with valuable data (or PII for private industry)
How well educated employees are about cybercrime risks
How well enforced security policies are

The Federal government, with the lowest employee error or theft rate (Snowden being considered an outlier) does an excellent job controlling all of these aspects because, in general, they only allow access to data on “need to know” basis, they mandate cybersecurity education, and they strictly enforce security policy.

Employee education is one of the key ways to diminish IT security breaches.
Tweet

This also helps us understand why Healthcare employees are responsible for more data breaches: they handle PII more frequently than employees in other industries. This exponentially increases the opportunity for employees who are undereducated about cybercrime to do foolish things.

While we may not be able to easily affect the PII handling rate on a per industry basis, we have every reason to focus on the part of the problem which is eminently fixable: employee education. It only takes about 10 minutes to explain to someone what cybercriminals do with PII, why encryption matters and how the most common infection vectors work. Such education tools are widely available and free. The problem isn’t a lack of tools or resources; the problem is that very few organizations are willing to insist upon it.

For a webinar on this topic and other cybercrime trends see here.

What is Malvertising?

Malvertising is an ambiguous term referring to malicious online advertisements; some cause malware infection while others track user behavior.

Privacy & Kids

Who Costs the Company More? Employees or Cybercriminals?

European cybersecurity webcast with global impact

High-level webcast: Discussing European cybersecurity challenges with stakeholders from EU and member states

What is Malvertising?

Tips

Advertisers sharing data about you with… intelligence agencies

Residential proxies: understanding the risks for organizations

Watch the (verified) birdie, or new ways to recognize fakes

Switching to Kaspersky: a step-by-step migration guide

Sign up to receive our headlines in your inbox

Home Solutions

Small Business Products

Medium Business Products

Enterprise Solutions

Securelist

Eugene Personal Blog

Encyclopedia