Risk
2/4/2009
05:25 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Human Error Cited As Greatest Security Risk

Data breaches caused by human error last year accounted for 35.2% of incidents with reported causes.

In Deloitte's sixth annual Global Security Survey, people are the problem.

"[P]eople continue to be an organization's greatest asset as well as its greatest worry," Adel Melek, global leader of security and privacy services at Deloitte Touche Tohmatsu, said in the report. "That has not changed from 2007. What has changed is the environment. The economic meltdown was not at its peak when respondents took this survey. If there was ever an environment more likely to facilitate an organization's people being distracted, nervous, fearful, or disgruntled, this is it. To state that security vigilance is even more important at a time like this is an understatement."

On one level, that couldn't be more obvious: It's not as if anyone worries about squirrels hacking servers; security has always been about people. (Robots, the report says, are unlikely to replace the human workforce during the lifetime of anyone reading the report. Finally, some good employment news.)

Yet despite the obviousness of the problem, the obvious solution -- complete denial of access -- doesn't work. People use computers and computers are more useful when connected and it just gets worse from there. That may explain why identity and access management remained top of mind for survey respondents.

Deloitte's survey, drawn from major financial companies around the globe, focuses on governance, investment, risk, use of security technologies, quality of operations, and privacy. It includes some good news -- external breaches have declined sharply over the past year -- and troublesome news -- fewer companies say they have the commitment and funding to address regulatory compliance.

In terms of risk, specifically information systems failure, people are identified as the most significant vulnerability. "Human error is overwhelmingly stated as the greatest weakness this year (86%), followed by technology (a distant 63%)," the report states. It attributes the rising risk to increased adoption of new technologies and social networking.

In 2008, data breaches caused by human error declined, the Identity Theft Resource Center said last month. Nonetheless, such breaches accounted for 35.2% of incidents with reported causes.

Survey respondents cited viruses and works, e-mail attacks, and phishing/pharming as the most common cause of repeated occurrences of external breaches. But organizations are clearly getting better at dealing with these threats because the percentage of companies reporting repeated incidents arising from these causes fell last year.

External breaches arising from viruses and worms affected 15% of respondents in 2008 and 43% in 2007; external breaches arising from e-mail attacks affected 24% of respondents in 2008 and 57% in 2007; breaches arising from phishing/pharming affected 7% in 2008 and 38% in 2007.

Only 20% of respondents said they hadn't been affected by a breach arising from an external attack; only 30% said they had not been affected by a breach through an internal attack.

Viruses and worms also led the list among causes for internal breaches, affecting 11% of respondents.

The report observes that while organizations have made progress preventing repeat attacks arising from viruses/worms, they have been less successful in dealing with e-mail attacks and phishing/pharming. The reason is because e-mail attacks are more varied and because e-mail can't just be shut down.

"Organizations need to continue to figure out ways to thwart these threats if the Internet is to be a trusted communications medium," the report says.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.