In January to June last year, over 30% of data breaches involving the loss of personally identifiable information (PII) were caused by internal intrusions, while 29% was caused either accidentally or maliciously by employees.
The findings, from the Data Protection Best Practices and Risk Assessment Guides, has led Richard Pharro, CEO of APM Group, to comment:
"These results confirm the very real world of cyber and data security," Pharro said. "All too many businesses imagine threats to their data emanate solely out of the criminal underworld, and are therefore beyond their reach or control. The impact of this is a defeatist attitude: If would-be hackers are bent on accessing my company’s data, what can I really do to stop them? Those threats do of course exist, and indeed are growing, but the most prominent and pertinent threats to businesses’ data relate to human error and data hygiene."
Pharro continued: "CEOs must now become fluent in the language of cyber security and advance the way in which their companies deal with threats. Security officers should be monitoring their internal workings more proactively and reacting to attacks in a much more dynamic manner. It must be remembered by all that a successful security framework will protect from the inside out and outside in, along the lines of the perimeter, collecting information and contextualising it to provide actionable intelligence.
"Assessing internal capabilities and competencies in all respects is a much more effective way of dealing with the new style of threat and this can be done on an almost routine basis using capability assessment tools. Organisations have at their disposal dynamic tools, which can empower companies with a tailored, on-going assessment of their current cyber security ability to highlight ‘at risk’ areas. This then provides a detailed roadmap on how best to mitigate these factors," he continued.
"The culture of social media and the lax attitude to privacy that goes with it is a trait that is contrary to business protocol regarding the disclosure of commercially sensitive information. Employees now have the platform to disclose this to potentially large amounts of Twitter and Facebook users but these sites are also significant targets for cyber criminals.
"A rigorous policy backed up with regular training must be the solution. Companies should also be mindful that analysis of these social conversations can create security intelligence which in the longer term can feed into processes and enhance security levels within the company", Pharro added.
"Data security is now clearly a board room issue which must be front of mind for those at all levels within the company. As a baseline solution, passwords should be kept updated and sensitive files should always be encrypted. Regular training on phishing and malware can form an integral part of the preventions process. Clear visibility puts companies in the strongest possible position so capability and assessment tools can provide much needed direction in this area.
Pharro concluded, "Cyber security is now an essential part of our interconnected business world and requires the full attention of senior management as pressures increase and mobile integration advances."