Unwitting accomplices: employees and vendors--not hackers--pose greatest data breach threat.

• Author: Hill, Daniel D.
• Position: Legal Brief

Often, the phrase "data breach" conjures up images of code-cracking hackers in far-flung locations. In fact, many data breaches are the result of activities much closer to home--preventable mistakes by your own employees or vendors.

According to Experian, nearly 11 percent of data breaches result from employee negligence, with 30 percent of those due to human error. Seventy-four percent of IT professionals believe that these numbers are even higher--that insiders are responsible for most data breaches. According to a study by cybersecurity company Trustwave, third-party vendors are responsible for 63 percent of data breaches.

Failure to address employee and vendor data security risks can be extremely dangerous to businesses of all sizes. Data breaches are often catastrophic, with nearly 60 percent of small businesses going under within six months of suffering a data breach.

Proactively addressing controllable employee and vendor risks can significantly reduce any company's exposure to a dangerous data breach.

Employee training

If basic security standards are not followed, even the most well-intentioned employees can put your organization at risk. Simple things like clicking on a link from an infected website, reusing passwords on multiple accounts, opening or responding to the wrong email, or misplacing a laptop or smartphone can compromise the security of an entire organization.

Alternatively, sound policies and timely education empower your employees to serve as the first line of defense against a data breach, instead of causing the breach.

The development and implementation of a comprehensive information security policy is a critical first step in protecting your organization's sensitive data and addressing potential employee risk to that data. This policy should (1) address the handling of all information used, processed or held by your organization, (2) classify data based on its importance and sensitivity, and (3) identify technical and procedural measures to protect such data.

Unless all employees are on the same page, even the most air-tight information security policy is useless. Many employees do not see themselves as taking risks and perceive information security as an unnecessary hindrance to their job performance. In fact, executives often pose the greatest risk. A training program that addresses common methods of attack, good information security hygiene, and case studies that illustrate the catastrophic impact of cyberattacks...