External cybersecurity breaches get the headlines, but evidence points to human error as a greater cybersecurity threat for organizations of all sizes.
A data security incident response report released earlier this month by BakerHostetler revealed that in the 200-plus cases its firm advised on in 2014, human error was the top cause of data security incidents. Employee negligence was responsible 36% of the time, while theft by outsiders was 22%, theft by insiders was 16%, malware 16%, and phishing attacks 14%.
While the healthcare industry was affected most – largely due to strict data breach notification laws healthcare providers must follow – no industry is immune from threats to its sensitive information.
“It is important for companies to understand that data security is not just an issue for retailers, financial firms and hospitals. Incidents do not only occur at businesses that have payment card data or protected health information. Privacy and data security issues are firmly entrenched as a significant public and regulatory concern and a risk that executive leadership and boards of directors must confront,” stated the report’s authors.
Other findings noted in the report include:
- Not all security lapses involved the theft or hacking of electronic records; 21% involved paper records.
- 58% of the incidents required notification of affected individuals, based on state breach notification laws.
- Credit monitoring was offered in 67% of the incidents.
- In 75 incidents where notification letters were mailed, only five of the companies faced litigation by potentially affected individuals.
- For incidents involving stolen payment card data, PCI Data Security Standards fines for non-compliance ranged from $5,000 to $50,000 per matter. Initial demands for operating expense and fraud assessments ranged from $3 to $25 per card involved.
“Our analysis shows that best-in-class cyber risk management starts with awareness that breaches cannot be prevented entirely, so emphasis is increasingly on defense-in-depth, segmentation, rapid detection and containment, coupled with ongoing effort to monitor threat intelligence and adapt to changing risks,” the authors advised.