Internal Snafus Cause of Most Breaches, Study Says

Security incidents more likely to result from corporate mistakes than hackers

1 2 Page 2
Page 2 of 2

In the Numbers

The university study is reinforced by similar findings from other researchers. For instance, a report released last week by the IT Policy Compliance Group said that human error is the overwhelming cause of losses of sensitive data — contributing to 75% of all occurrences, compared with 20% for malicious hacking activity.

Data Grabs

Although internal errors led to a higher number of data breaches, hackers are responsible for a larger percentage of the individual data records that were compromised, according to a University of Washington study.

Internal Errors:
Not attributable to either:
External Hackers:

Base: A study of 550 security breaches reported between 1980 and last December. A total of about 1.9 billion records were exposed in the incidents.

Source: University of Washington, Seattle

Similarly, in an electronic poll of attendees at Computerworld’s Premier 100 IT Leaders Conference this month, the 161 respondents pointed to “activities by internal staffers,” “ineffective policies” and “sloppy mobile workers” as the biggest sources of security breaches. Only 11% of the respondents fingered external hackers as the leading cause of breaches at their organizations.

Even in cases that were publicly blamed on hackers, the reality can be more nuanced, Howard said.

One example was the huge data breach at Acxiom Corp. in 2003, when a hacker who was later caught stole 1.6 billion customer records. He was able to get at the data largely because of Acxiom’s failure to establish proper access controls, Howard said.

Tom Lindblom, chief technology officer at Carpinteria, Calif.-based CKE Restaurants Inc., which owns fast-food chains such as Hardee’s and Carl’s Jr., said he thinks businesses are getting savvier about implementing internal controls that can mitigate the kinds of organizational problems highlighted by the University of Washington study. That’s being driven partly by increased audit and regulatory requirements, he said.

As a result, Lindblom noted, it’s hard to pinpoint whether hackers or internal problems pose the greater security risk at this point.

“I don’t think it’s a case of one or the other,” he said, adding that it’s important to address both types of threats in risk management planning.

“Certainly, we find that data breaches are often the result of negligence,” said Avivah Litan, an analyst at Gartner Inc.

Examples cited by Litan include not changing passwords or using weak passwords, along with a tendency on the part of individual users to leave log files or sensitive data lying around unprotected.


Copyright © 2007 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon