A recent Egress survey questioned 500 IT security decision-makers and found that accidental breaches are rife within the industry. Over 70% of respondents recorded an accidental internal breach during the last five years, with half of these incidents occurring within the past year.
While survey results do not always match what’s happening in reality, if you ask any IT professional, they will most likely agree that accidental breaches are a top risk when securing information. IT decision-makers are not sitting around doing nothing. In fact, even with all the ‘noise’ in cybersecurity - hype, FUD, and confusion around what to do - IT decision-makers are investing in numerous solutions to try to reduce these risks.
The results of the study demonstrate that despite large investment, the risk of accidental breaches is still considerable. In fact, 44% of executives believe employees have erroneously exposed personally identifiable information (PII) or business-sensitive information using their company email account. IT security decision-makers also ranked accidental employee breaches as one of their top three concerns (46%), just behind external hacks (55%) and malware (53%). Most accidental internal breaches happen on data that was left unprotected in its raw, clear form so it’s up to organizations to ensure that their data is secure.
A Combination of Factors are to Blame
Perhaps the reason there are so many accidental data breaches is because only 40% of organizations are properly educating staff on how to improve security when sharing data. The survey results showed that both corporate and personal email are the leading causes for accidental data leaks with external email increasing in risk from 50% to 54% over the last year. Most hackers and bad actors seek to exploit unprotected data itself by finding ways to circumnavigate perimeter defenses, user access restrictions, and intrusion detection mechanisms. Hackers either hold data for ransom or to exfiltrate it for profit. This is usually done through exploiting a range of at-risk applications such as file sharing services (39%), collaboration tools (34%), and SMS instant messaging (33%), all of which have remained an ongoing issue for organizations throughout 2019.
New Regulation Addressing the Issue
In order to combat the threat of accidental breaches, companies are taking steps to comply with data protection regulations like GDPR and CCPA. These steps include improved use of existing security technologies (59%), improved data handling practices (56%), investment in new security technologies (55%), staff education (40%), and hiring new security personnel (29%). While there has been clear significant security investment across the board, the statistics show that there is no single method to ensuring data security.
Minimizing Risk by Protecting the Data Itself
The best way for enterprises to ensure both regulatory compliance and data security is by implementing a data-centric security architecture. Data-centric security addresses risks from the view point of the data, rather than addressing risk on the infrastructure or systems surrounding the data. The data is protected with tokenization or format-preserving encryption, which keeps data safe, even in the event of a breach. The data-centric approach turns unprotected, raw, clear-form data, into data that is worthless and unexploitable to hackers. Additionally, more data privacy laws and regulations around the world are starting to use language such as anonymization, de-identification, and pseudonymization, requiring data processors and controllers to take a more focused approach towards protecting the data itself, rather than solely relying on infrastructure security.
If more enterprises undertake data-centric security, then hopefully next year’s survey results will inspire much more confidence in data processors.