Aira Leigh Suguitan

What percentage of breaches and hackings into organizations originate or can be linked to breaches of personal online accounts belonging to employees (Gmail, Facebook etc.)? Insights •According to Verizon's 2015 Data Breach Investigations Report, about 50 percent of all security incidents are caused by people inside an organization, 30% due to worker negligence and 20% are considered misused events. •Employees are the most cited source of compromised information. The distribution of targets of attacking is led by industry, then followed by governments and last would be individuals as of November 2016. Overview Hello! Thanks for your question about the percentage of breaches and hackings into organizations caused by breaches of personal online accounts belonging to employees. The most useful sources I found to answer your question are “World's oldest hacking profession doesn't rely on internet” and “6 Cyber Security Statistics You Should Know for 2016”. The short version is that employees are responsible for 50% of all company data base as of 2015. Which connotes that cyber security doesn’t just rely on your internet but most likely rely on your employees. According to Verizon's 2015 Data Breach Investigations Report, about 50 percent of all security incidents — any event that compromises the confidentiality, integrity or availability of an information asset — are caused by people inside an organization. And while 30 percent of all cases are due to worker negligence like delivering sensitive information to the wrong recipient or the insecure disposal of personal and medical data, roughly 20 percent are considered insider misuse events, where employees could be stealing and/or profiting from company-owned or protected information. Often, that translates to employees on the front lines stealing patient medical data or client social security numbers, which can then be sold on the black market or used to commit fraud like collecting someone else's social security benefits, opening new credit card accounts in another's name, or applying for health insurance by assuming the identity of someone else. And others, on occasion, data breaches are the result of an angry employee looking to get personal gain from an attack. The most common, easy, and low cost method used to steal access and other sensitive information from employees and other system users is spear phishing which is often a fake email asking potential victims to click a URL and fill out a form on a fake website or click on attachments and links which download malware onto the users' computing devices leading to unauthorized access. Human error doesn't just lead to identity theft and access giveaway in phishing attacks. Other errors that employees and management make that facilitate security incidents include hiring criminals due to improper background checks, allowing inactive and orphan accounts with no ownership to exist, creating excessive number of highly privileged accounts, and sharing passwords. The healthcare industry is at substantial risk when it comes to data breaches. HIPAA compliance is a difficult concept to master, and not all companies are up to scratch on the requirements. This is unfortunate, since healthcare data is the most expensive to lose, with the average stolen record costing $363 per record. That comes out to more than twice the average cost per stolen record in any industry. A data from 2015, breaches continue to rise with 38% more security incidents detected in 2015 than in 2014 which brings a lot more attention to cyber security as a whole. While, theft of “Hard” intellectual property – refers to records that can directly hurt either a consumer or a business increased in 56% in 2015. The U.S’ National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber attack. According to the Ponemon Institute, the average price for small businesses to clean up after their businesses have been hacked stands at $690,000; and, for middle market companies, it’s over $1 million. Recent events have proven that nobody is safe from the threat of cybercrime – not large corporations, small businesses, startups, government agencies or even presidential candidates. To wrap it up, most cyber breaches happen because an employee does something that they aren’t supposed to do. Basic training can stop a majority of low-level threats. But, coaching your employees on data protection is not enough. Business owners must establish data security protocols, policies, practices and procedure that every employee takes seriously. Companies are failing to prevent cyber intrusions because they fail to address the weakest link in the information security chain which is people (employees, contractors, customers, and vendors) who have access to systems. The best solution against cyber threats is to have a balanced security approach that recognizes the network security strengths as well as its limitations, automates security enforcement as much as possible, and, improves identity and access management processes to reduce employee errors and ultimately security breach incidents.