Close to 80 percent of all security breaches are related to human behavior -- either honest mistakes or premeditated actions. That's according to a study released last week by Ponemon Institute and sponsored by security technology company Trend Micro.
What's more, it turns out that small and midsize businesses are more slightly more likely than enterprises to suffer security breaches related to the failings of human behavior, the data show. Approximately 81 percent of SMBs reported that human "mishandling" was to blame for a breach, compared with 78 percent of enterprises. (The differences will become even more apparent later on in this post.)
Overall, there were 709 IT professionals surveyed for the research.
Across the board, SMB employees were more likely to do things that were deemed "risky" in the eyes of security professionals. Here are some examples:
- 58 percent of them clicked on Web links in spam (versus 39 percent of enterprise respondents)
- 77 percent have left their computer unattended (versus 62 percent)
- 55 percent of SMB employees have used off-limit Web sites (versus 43 percent)
Smaller companies were also less likely to feel secure with the safety measures in place in case of a human failing. For example, 62 percent of the respondents from smaller companies believe their information isn't safe if someone goofs or there is a network breach.
That's a pretty darn high percentage, don't you think?
Among all companies, here are the top three reasons for breaches, as reported by the survey respondents:
- Loss of a laptop or mobile device
- Third-party mishap (such as when a service provider handling your data accidentally exposes it)
- System glitches
Stepping back, the data offers more evidence that companies, especially smaller companies, should spend more time developing an explicit policy around data security rather than just throwing technology at the problem. Larry Ponemon, chairman and founder of the Ponemon Institute, said in a statement:
"We saw that most surveyed believe their companies are not doing enough to ensure a more effective security infrastructure against hackers and targeted attacks. Combined with a data-centric technology, education and awareness among employees are essential."
Knowing what you are up against goes a long way toward protecting against it. As more SMB employees go mobile -- and the chances of data loss rise correspondingly -- smaller companies could stand to spend more time worrying about who should have access and under what circumstances. Don't just make it an IT policy, make it a corporate policy.