Employees to blame for data breaches

UK security leaders believe that their organization’s employees are continually exposing sensitive data to the risk of a breach, yet are neglecting to take the necessary steps to control the risks, according to annual research carried out by Apricorn (www.apricorn.com), the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives.

Apricorn’s research found that 70% of corporate breaches are a direct result of employee error or malicious intent, with staff being caught out by phishing emails.   Of the security decision makers surveyed, almost half (48%) of respondents admit that their company’s mobile or remote workers have knowingly exposed data to a breach over the last year, a rise from 29% in 2022; while 46% say that their remote workers “don’t care” about security – compared to only 17% last year.  

This trend was echoed when the respondents were asked about the main problems they faced with implementing a cybersecurity plan for remote and mobile working.  The biggest issue – which 28% are struggling with – is lack of awareness among employees of the risks to data when working away from the office.  Also high on the list is the fact that staff who are aware of security risks will still take action that results in data being exposed or lost (23%).

“Our research indicates businesses don’t trust their employees to live up to their responsibilities around protecting data.  This is particularly the case when they’re working remotely.  There appears to be a lack of buy-in, and in some cases a blatant disregard of the need to follow cybersecurity policies – perhaps as a result of employees becoming too relaxed over security,” says Jon Fielding, Managing Director EMEA, Apricorn.  

“Despite awareness of the ‘insider threat’, companies are not applying the policy and technology measures necessary to prevent data being compromised – in particular when it comes to BYOD.  Of those that allow employees to use their own IT equipment remotely, our research shows that only 14% manage the risk by controlling access to systems and data using software, a drop from 41% in 2022,” continues Fielding.

“Decentralization of IT may be behind the slip in control that security teams have over the endpoint.  The employee technology platform is moving further and further away from the organization, especially where people are using their own kit.  While creating a great employee experience is important – and the flexibility and productivity gains are undeniable – it’s essential that security teams now pull on the reins and apply comprehensive measures to protect data.  Without these, the situation is a ticking time bomb.”

The research was conducted by Censuswide with 201 security decision makers (manager level +) of large companies in the UK between 30.03.2023 – 06.04.2023 also found that 21% companies (up from 12% last year) say that the mishandling of corporate information by third parties had caused a breach, indicating the increasing need for tighter security in the supply chain.