Small To Medium Businesses Carry Higher Risk Of Data Breaches

Nathan Eddy is a contributor to eWeek and TechWeekEurope, covering cloud and BYOD

Follow on: Google +

A new report from Ponemon has said that there is a higher risk of data breaches among small businesses

A report from the Ponemon Institute has warned that staff negligence or maliciousness is the root cause of many data breaches.

This is according to The Human Factor in Data Protection report from Ponemon, which was sponsored by cloud security specialist Trend Micro. More than 78 percent of respondents blame staff behaviour, both intentional and accidental, for at least one data breach within their organisation over the past two years.

Staff Behaviour

Small and midsize businesses (SMBs) are at a greater risk of their employees mishandling data than enterprises, according to a separate analysis of the overall respondents from organisations with less than 100 employees.

Overall, SMBs have a slightly higher rate of data breaches – 81 percent versus 78 percent – due to employees mishandling of sensitive data. SMB employees were reported to be more likely to engage in “risky” behaviour. In fact, 58 percent of them will or have already opened attachments or Web links in spam, versus 39 percent from enterprises; 77 percent will or have already left their computer unattended, compared with 62 percent from their enterprise counterparts.

The survey also found that more than half (55 percent) of SMB employees were likely to visit off-limit Websites, compared with 43 percent of enterprise employees.

The top three root causes of these breaches are employees’ loss of a laptop or other mobile data-bearing devices (35 percent), third-party mishaps or flubs (32 percent) (defined by Ponemon as when a third-party vendor has another company’s data that is stolen or lost by the vendor, not the original entity, and the cause of data loss is unknown) and system glitches (29 percent).

Alternatively, nearly 70 percent of those surveyed either agree or strongly agree that their organisation’s current security activities are not enough to stop a targeted attack or hacker, according to the study, which is based on a poll of 709 IT and IT security practitioners in the United States.

Accidental Discovery

The report found that even when employees make unintentional mistakes, most of these breaches are only discovered accidentally, according to 56 percent of respondents.

Only 19 percent of respondents say that employees self-reported the data breach, making it difficult to promptly resolve it. Thirty-seven percent say that an audit or assessment revealed the incident, and 36 percent say that data protection technologies revealed the breach.

The majority (65 percent) of smaller organisations say that, in general, their organisations’ sensitive or confidential business information is not encrypted or safeguarded by data loss protection technologies. Further, employees are less likely in smaller organisations to spend time on data protection or have the proper technologies in place to thwart data loss: 62 percent of organisations believe they are not protected. Of these respondents, 65 percent say it is because technologies are too expensive and 54 percent say they are too complex.

“Our conclusion is that most threats posed by employees and those within companies are becoming more prevalent because of the mobility of the workforce, proliferation of mobile data-bearing devices, consumerisation of IT and the use of social media in the workplace,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute.

“We saw that most surveyed believe their companies are not doing enough to ensure a more effective security infrastructure against hackers and targeted attacks,” he said. “Combined with data-centric security technology, education and awareness among employees are essential.”