Mary Jo White, the chair of the U.S. Securities and Exchange Commission, said in a speech Friday that cyber-attacks against the U.S. are the “biggest risk we face.”
On the same day, USA Today reported that John Carlin, the head of the Justice Department’s National Security Division, said at a hedge-fund conference that several firms had been victimized by “cyber-extortionists.”
Still, one law firm’s survey discovered that the biggest cause of data-security problems is human error.
That’s the finding in a report by the privacy and data protection team at Baker & Hostetler LLP. Of 139 incidents in 2014 in which the cause could be identified, 36 percent of the problems were the result of employee negligence and 22 percent stemmed from theft by outsiders, the report said. Theft by insiders caused 16 percent of the problems and malware produced an additional 14 percent. The final 11 percent came from phishing attacks.
The firm worked on more than 200 incidents of data breaches in 2014. Ted Kobus, a co-leader of the 40-person privacy and data team, said in a phone interview that the incidents involved public and private companies and nonprofit groups.
Kobus said problems can stem from employees who are trying to be efficient in their work.
“Organizations have strict policies” restricting what can be brought home, he said. Employees, rather than asking how they can work outside the office, quietly find a workaround, such as taking paper records home or downloading files to an unsecured personal hard drive.
“Companies need to do other things,” he said. Employers can, for example, give “employees encrypted thumb drives.
Although they’re expensive, it gives them the opportunity to do what they want to do but in a secure way.”
Apart from retailers, who often learn about hacking from regulators or credit card companies, most companies discover their own breaches, Kobus said.
Nonetheless, he was surprised that the response time of affected clients wasn’t shorter. Typically, he said, “employee negligence is discovered quickly, yet companies are still not putting into place procedures and policies to have the issue escalated to someone who manages data responses.”