- Thirty-nine percent of companies' data breaches start internally — as opposed to stemming from an outside attack, according to a Harvard Business Review (HBR) report. That number includes threats categorized as either negligent, malicious or accidental.
- HBR says that employees' lax or errant behavior lowers an organization's defenses against phishing, viruses, malware and network attacks, so employers must update training programs as threats evolve.
- Employers also can identify workers who are putting their systems at risk by using analytics that can evaluate documents for proprietary content, review users' activities and track the flow of data across the organization, according to HBR.
This research serves as reminder that employers can't overlook the possibility of internal breaches, and that training is one of the best defenses.
Other reports have reached similar conclusions: A Willis Towers Watson's Cyber Risk Culture Survey found that 90% of cyber risks are due to human error, and that 66% of cyber breaches are the result of employees’ negligence or maliciousness. Only 18% of cyber threats were from external sources. Likewise, a report by cybersecurity firm Dtex Systems found that 95% of organizations have workers who try to override web and security restrictions. These behaviors can be a precursor to data theft and other malicious activity in the workplace.
In addition to regular training, employers can set cybersecurity policies and vigorously enforce them. It may be especially useful to have policies covering personal devices used at work, which can leave employers particularly vulnerable to breaches.