Hacking breaches catch all the headlines, but the reality is most compromises come from within.
Only 25% of data breach cases are the work of external attackers, according to new research from Forrester. And only 12% of them came from insiders with ill intent. That leaves 63% of the issues caused by something more mundane, like losing or misplacing corporate assets, the report has found. Physical theft of items like laptops and smartphones is part of the 63% as well, as is “inadvertent misuse” of company privileges and equipment.
“It’s not simply just a matter of having the appropriate tools and controls in place. It’s worth noting that only 56 percent of information workers in North America and Europe say that they are aware of their organization’s current security policies,” said researcher Heidi Shey in the report.
As for the victims of the breaches, employee and customer personal data accounted for 22% of cases reported, while intellectual property accounted for 19%. Sensitive identity management credentials like user names and passwords came in at 11%.
Forrester questioned more than 7,000 employees across North America and Europe for the survey, and also found consumerization and the bring-your-own-device (BYOD) trend are fueling mobile security concerns in the enterprise.
Around 30% of survey respondents said they didn’t think there was enough of a dividing line between consumer and corporate data on mobile devices. That spurred 39% to say they worried about a lack of data leak prevention on mobile devices, with half concerned about the consequences of simple physical theft.
Most organizations seem to have policies when it comes to mobile security, but most of them don’t have adequate protections in place because they lack the tools required to enforce those policies, Forrester found. While most mobile devices have native capabilities as measures against breaches – such as passcodes or passwords, and remote lock and wipe – almost 25% of those surveyed said they don’t have any form of data protection implemented on their devices.
All in all, it seems that employee training for security awareness is in order. “Whether their actions are intentional or unintentional, insiders cause their fair share of breaches,” Shey said.