IT Security Spending To Reach £50bn, But Human Error Is Still Main Cause Of Data Loss

Tom Jowitt,
shocked at laptop ©R.Iegosyn/shutterstock.com

Spending on security set to grow, but pesky humans still main reason for data losses in organisations

Human error is still the leading cause of data losses for businesses in the UK, according to a new report, despite Gartner predicting a 4.7 percent increase in worldwide spending on information security in 2015.

Databarracks’ recent Data Health Check report surveyed over 400 IT decision makers and besides finding that humans are still the biggest security weak-link, and it advised firms that adopting a big business ethos can significantly reduce avoidable data losses.

The survey found that 24 percent of organisations admitted that a data loss was the result of an employee accident in the last 12 months.

Human Error

data lossOther high-scoring causes of data loss included hardware failure (21 percent) and data corruption (19 percent).

“Human error has consistently been the biggest area of concern for organisations when it comes to data loss,” Oscar Arean, technical operations manager at Databarracks. “People will always be your weakest link, but having said that, there is a lot that businesses could be doing to prevent it, so we’d expect this figure to be lower.

“The results weren’t consistent across all organisations though. When we broke them down by business size, we saw that for the second year in a row, it was actually hardware failure, which contributed the most towards data loss across large organisations at 31 percent (up from 29 percent in 2014).

“This isn’t surprising as the majority of large organisations will have more stringent user policies in place to limit the amount of damage individuals can cause,” said Arean. “Secondly, due to the complexity of their infrastructure, and the cost of maintaining it, large organisations may find it more difficult to refresh their hardware as often as smaller organisations, so it’s inevitable at some point it will just give out.”

But SMEs can actually minimise their data loss risks from human error if they adopt some of the practices used by big businesses.

“The figures we’re seeing this year for data loss due to human error are too high (16 percent of small businesses and 31 percent of medium businesses), especially considering how avoidable it is with proper management,” said Arean. “I think a lot of SMEs fall into the trap of thinking their teams aren’t big enough to warrant proper data security and management policies, but we would disagree with that.

“In large organisations, managers can lock down user permissions to limit the access they have to certain data or the actions they’re able to take – this limits the amount of damage they’re able to cause. In smaller organisations, there isn’t always the available resource to do this and often users are accountable for far more within their roles. That is absolutely fine, but there needs to be processes in place to manage the risks that come with that responsibility.

“Of course small organisations don’t need an extensive policy on the same scale that a large enterprise would, but their employees need to be properly educated on best practice for handling data and the consequences of their actions on the business as a whole. “There should be clear guidelines for them to follow.”

Human error has consistently being one of the biggest factors in data losses over the years.

Last year for example, a Freedom of Information (FoI) revealed that human error was the reason for an increase in data breaches reported to the Information Commissioner’s Office (ICO). This was despite awareness of the need for appropriate education and processes to prevent such incidents.

Security Spending

identity deception fraud social engineering security © Pretty much everyone knows that passwords aren't supposed to be shared. Passwords exist to protect your information and your employer's information from being seen by people who shouldn't see it and who could cause serious damage if they do access it. This is why you have a strong password on your banking information (you DO have a strong password on your bank account, don't you?) So how is it that Edward Snowden managed to get the passwords that gave him access to thousands of secret documents? According to a story from Reuters, Snowden did it in the easiest way possible. He asked for it. But of course there's more to it than that. What Snowden did was tell a couple dozen of his coworkers that he needed their passwords because he was a system administrator. Those coworkers, knowing that Snowden was fully cleared, figured it was safe, and gave him the passwords. Snowden used that trust to raid the NSA files of everything he could find. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Leaving aside the propriety of what Snowden did, the fact that he was able to get the information he did with other people's login information speaks volumes. Perhaps more important, it speaks those volumes directly to you and your employer. Snowden exploited a weakness that exists at nearly every company or organization and which can be overcome only by having the right security policies and the right training. That weakness is trusting the wrong people at the wrong time. The obvious question is how this applies to you and your organization. After all, the chances are pretty good that you're not sitting on a pile of state secrets. But the chances are that your company has plenty of information that has value to your competitors, to criminals, or to people who want to use that information for other dubious purposes. Do you really want the outside world to see your customer list? Your financial statements? Your supply chain or manufacturing details? Probably not. Unfortunately, if you lose control of your organization's passwords, you're doing just that. But you can limit the problem by implementing some basic practices, making sure your staff is trained and then retrained frequently. Here are some things you can do: 1. Require passwords that are hard to guess, but don't go overboard. If you require passwords that are too complex, nobody will remember them. You know what happens next—yellow sticky notes on their monitors. That doesn't really help security. 2. Control what happens if a password is shared. It's easy to say that your staff should never under any circumstances share a password. But that's not how things work in the real world. Sometimes a system administrator really does have a reason to request a user's log-in credentials. 3. When that happens, what should the user do? That depends, but at the least they should know that they should then immediately change the password. You might also want to require that any password-sharing request be reported on a routine, easy-to-fill-out form that will disclose the action to whomever you designate to handle this, such as your IT manager. 4. Make password changes easy to accomplish, and automate the reporting process so that every such change is logged. 5. Don't depend on complex control software as a primary means of user verification. It might be useful, but nothing works as well as good practices properly followed. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Require two-factor authentication for access to information that's really important. Many companies use a smartcard that doubles as an access card and organizational ID card. This reduces the problem of stolen log-in credentials. More complex methods of access control certainly exist and should be used under extraordinary situations, but are not always appropriate. It's important to remember that maintaining access security requires the willing cooperation of your staff. This means that you have to tell them what needs to be protected, the means they should follow to protect that information and what they should do if they suspect that protection has been compromised, even by someone who claims a plausible reason to do so. Here's one way such a procedure might work: One of your workers with access to something sensitive, such as human resource data, requests help with a problem logging in to the network. Somebody from the help desk asks for the log-in credentials to see what the problem is and to try to fix it. The person being helped provides the information and then immediately sends an email to a designated manager saying something like this: "I provided my log-in info to Sam Smith from the help desk to fix a log-in problem. My extension is 123." Once the log-in problem is solved, the employee should immediately change their password. That change will be recorded by your network management system where it can be verified by a manager or security staffer. Will that eliminate all data loss? Of course not, but it will eliminate some of it. It requires little in the way of resources and it allows management follow-up since problems—including an administrator who seems to be asking for a lot of passwords—will show up quickly. While you can throw automation at such a problem, at some point the most basic answer is training and management. It's hard to be more effective than that unless you already have training and management practices to enforce password discipline in place already. ShutterstockMeanwhile global spending on IT security is set to grow in 2015 according to analyst house Gartner.

It said that worldwide information security spending is forecast to grow 4.7 percent to reach an impressive $75.4bn (£50bn) in 2015. It seems that government initiatives are driving this spending increase, as more legislation and high-profile data breaches act as principle growth drivers.

According to Gartner, security testing, IT outsourcing, and identity and access management will offer the biggest growth opportunities for technology providers.

“Interest in security technologies is increasingly driven by elements of digital business, particularly cloud, mobile computing and now also the Internet of Things, as well as by the sophisticated and high-impact nature of advanced targeted attacks,” said Elizabeth Kim, research analyst at Gartner.

This focus is apparently driving investment in emerging offerings, such as endpoint detection and remediation tools, threat intelligence and cloud security tools, such as encryption. But Kim warned that strength in these emerging segments cannot compensate for the downgrade of the larger mature segments being commoditised.

Gartner also warned that price increases will drive organisations to forgo security purchasing in 2015, especially in Europe. This is because most security offerings herald from the United States, and the strengthen of the US dollar “will trigger significant price changes in the conversion from local currencies to US dollars.”

It said that pricing went up as much as 20 percent for most security products in the European region, for example.

How much do you know about data breaches? Take our quiz!