The London-based security firm analyzed both the 4,856 personal data breaches reported to the Information Commissioner’s Office, as well as a survey of more than 4,500 US and UK IT leaders and employees to gain insight into the root causes of internal breaches.
The researchers found that of the breaches reported during the first half of 2019 caused by insiders, 43 percent were due to incorrect disclosure and 20 percent were caused by posting or faxing data to the wrong recipient.
Eighteen percent were due to failing to use the Bcc function or emailing data to the wrong recipient, while 5 percent were caused by employees providing hackers with information during a phishing attack.
“These statistics are alarming,” Tony Pepper, Egress CEO, said in a statement. “All too often, organizations fixate on external threats, while the biggest cause of breaches remains the fallibility of people and an inherent inability of employees to send emails to the right person.”
“Not every insider breach is the result of reckless or negligent employees, but regardless, the presence of human error in breaches means organizations must invest in technology that works alongside the user in mitigating the insider threat,” he added.
Diving into the data and survey results, the researchers found 18 percent of breaches were reported in the healthcare sector, followed closely by 16 percent within both the federal and local government. The education sector landed in third with 12 percent, and 11 percent reported in the justice and legal sector.
“The healthcare sector persistently tops the list when analyzing the sectors affected by data breaches,” Pepper said. “This is very concerning, especially given the nature of the data. Why this particular industry continues to suffer from internal breaches is worrying and the sector must quickly take action to identify how it can work towards mitigating the insider threat.”
Notably, of those surveyed, 79 percent of IT leaders believe their employees have accidentally put company data at risk within the last 12 months. What’s worse, 61 percent believe those employees did so with malicious intent. And 60 percent of IT leaders believe they’ll experience an accidental breach within the next year. Forty-six percent said they’ll have a malicious breach in the next 12 months.
Thirty-eight percent of IT leaders believe reputational damage is the greatest impact of an internal data breach, with 95 percent acknowledging insider threats are an organizational concern.
These statistics are concerning when compared with the employee responses. For starters, 92 percent of employees said they haven’t accidentally broken company policy when sharing information, with 91 percent saying they haven’t done so intentionally.
What’s more, 55 percent of those employees who intentionally shared data against company rules said their organization did not provide them with the necessary tools to securely share sensitive data.
Interestingly, 60 percent of employees don’t believe the organization has exclusive ownership of the data, and 32 percent would consider taking company information to a new job.
“Overall, this finding may shed light on why IT leaders think employees are putting data at risk more than employees think they do: employees do not view company data ownership with the same perspective as IT leaders, therefore they simply don’t see the associated risks,” researchers wrote.
“They may not even believe that they have done anything wrong in sharing data insecurely,” they added. “This highlights that user education around data ownership should be a priority for organizations. Employee responsibility for the protection of companies’ intellectual property must be made clear through policies, HR contracts, and ongoing training.”
Further, most employee respondents were hesitant to admit when they were a cause of a data breach. But the researchers stressed that those that did so, “showed a worryingly blasé attitude towards company information.”
“Even the ‘curious’ employee can put data at risk by accessing and sharing it without permission,” researchers wrote. “Recently, 60 employees at a hospital in the U.S. were fired for accessing and sharing information on a celebrity patient. Regardless of intention, IT leaders have a responsibility to provide employees with tools to share and access data securely.”
“The results show a significant disconnect between the IT leader and employee perspectives of insider data breaches,” they added. This perception gap points to a major challenge for businesses. Insider data breaches are viewed as frequent and damaging occurrences… yet the vectors for those breaches – employees – are either unaware of, or unwilling to admit, their responsibility.”
The Egress report mirrors several findings in recent years that highlight both the threat of insiders and the need for stronger employee education around securely sharing patient data. In May, Verizon research showed miscellaneous errors and privilege misuse are rampant in healthcare data breaches.
In fact, healthcare is the only sector where the majority of breaches were tied to internal threats. In the previous year, a HIMSS report showed insider threats were a greater concern than external risks. A JAMA study from March confirmed that phishing education and training reduces healthcare cyber risk.