New Research by Ponemon Institute and Trend Micro: Most Companies Fault Employees for Data Breaches

News provided by

Mar 05, 2012, 03:00 ET

CUPERTINO, Calif., March 5, 2012 /PRNewswire/ -- Employee negligence or maliciousness is the root cause of many data breaches, according to a report – "The Human Factor in Data Protection" -- released by Ponemon Institute and sponsored by Trend Micro Inc. (TYO: 4704;TSE: 4704), a global cloud security leader. Over 78 percent of respondents blame employee behaviors, both intentional and accidental, for at least one data breach within their organizations over the past two years. Click here for the full report.

The top three root causes of these breaches are employees' loss of a laptop or other mobile data-bearing devices (35 percent), third party mishaps or flubs[1] (32 percent) and system glitches (29 percent). Alternatively, nearly 70 percent of those surveyed either agree or strongly agree that their organization's current security activities are not enough to stop a targeted attack or hacker, according to the study which surveyed 709 IT and IT security practitioners in the United States.

The report reveals that even when employees make unintentional mistakes, most of these breaches are only discovered accidentally, according to 56 percent of respondents. Only 19 percent of respondents say that employees self-reported the data breach, making it difficult to promptly resolve the breach. Thirty-seven percent say that an audit or assessment revealed the incident and 36 percent say that data protection technologies revealed the breach.

Worse for SMBs
SMBs are at a greater risk of their employees mishandling data than enterprises, according to a separate analysis of the overall respondents from organizations with less than 100 employees. Overall, SMBs have a slightly higher rate of data breaches – 81 percent versus 78 percent – due to employees mishandling of sensitive data.

SMB employees were reported to be more likely to engage in "risky" behavior: 58 percent of them will or have already opened attachments or web-links in spam, versus 39 percent from enterprises; 77 percent will or have already left their computer unattended, 62 percent from their enterprise counterparts. The survey also found that more than half (55 percent) of SMB employees were likely to visit off-limit websites, compared to 43 percent of enterprise employees.

The majority (65 percent) of smaller organizations say that, in general, their organizations' sensitive or confidential business information is not encrypted or safeguarded by data loss protection technologies. Further, employees are less likely in smaller organizations to spend time on data protection or have the proper technologies in place to thwart data loss: 62 percent of organizations believe they are not protected. Of these respondents, 65 percent say it is because technologies are too expensive and 54 percent say they are too complex.

"Our conclusion is that most threats posed by employees and those within companies are becoming more prevalent because of the mobility of the workforce, proliferation of mobile data-bearing devices, consumerization of IT, and the use of social media in the workplace. We saw that most surveyed believe their companies are not doing enough to ensure a more effective security infrastructure against hackers and targeted attacks. Combined with data-centric security technology, education and awareness among employees are essential," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute.

Recommendations to help minimize The Human Factor risks:

Understand that in this post-PC era where data and devices are often exposed, organizations need to approach security with a new mindset, putting the focus on "data-centric" security that integrates threat and data protection capabilities within a unified framework so that companies know who is accessing what data, when, where and how.
Create awareness among employees and other insiders about the need to spend more time and effort on data protection activities.
Ensure data protection policies address areas where an organization is most vulnerable to a data breach.
Investigate governance and technology solutions that are both efficient and cost effective, such as email based data loss prevention, email encryption and secure file sharing.
Make sure those who are given privileged user status are knowledgeable about the risks.
Require immediate notification if a mobile device containing sensitive and confidential information is lost or stolen.
Create policies for the use of social media in the workplace.

Supporting assets:

For the full report, visit: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_trend-micro_ponemon-survey-2012.pdf
For the executive summary, visit: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_trend-micro_ponemon-executive-summary.pdf
To use the free online data risk calculator, visit: http://www.trendmicro.com/datariskcalculator
For the free primer on why SMBs lose critical data, please visit: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/sb_5-reasons-why-small-business-lose-critical-data.pdf

Methodology
The study surveyed 709 IT and IT security practitioners (hereafter referred to as IT practitioners) in the United States. On average, respondents have more than 10 years of relevant experience. Only IT practitioners who have some level of responsibility for data protection in the organization participated in this study. Forty-five percent of respondents are at the manager level or higher in the organization. Seventy-eight percent are in organizations with a headcount between 100 and 5,000. Ponemon also examined differences with respect to the human factor risk between organizations that are larger (those with a headcount of more than 100) and smaller organizations (referred to as a small-to-medium sized business or SMB).

About Trend Micro
Trend Micro Incorporated (TYO: 4704;TSE: 4704), a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and threat management solutions for businesses and consumers. A pioneer in server security with over 20 years' experience, we deliver top-ranked client, server and cloud-based security that fits our customers' and partners' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the industry-leading Trend Micro™ Smart Protection Network™ cloud computing security infrastructure, our products and services stop threats where they emerge – from the Internet. They are supported by 1,000+ threat intelligence experts around the globe.

About the Ponemon Institute:
The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors, and verifies the privacy and data protection practices of organizations in a variety of industries.

Additional information about Trend Micro Incorporated and the products and services are available at Trend Micro.com. This Trend Micro news release and other announcements are available at http://trendmicro.mediaroom.com/ and as part of an RSS feed at www.trendmicro.com/rss. Or follow our news on Twitter at @TrendMicro.

[1] Defined by Ponemon as when a third party vendor has another company's data that is stolen or lost by the vendor, not the original entity, and cause of data loss is unknown.

SOURCE Trend Micro Incorporated