To Prevent Data Breaches, Talk to Your Employees

Thom Weidlich 07.22.21


A new survey about data breaches caused by insiders (i.e., employees) highlights the importance of communicating a) how to report incidents and b) that fessing up won’t result in retaliation. We’ve said it many times: It’s better to prevent a crisis than have to confront one.

The survey, “The Insider Breach Report 2021,” is from London-based data-security company Egress Software Technologies Ltd. The subtitle says it all: “Are employees your greatest defense or your biggest vulnerability?”

Two flavors of insider breaches present themselves: human error (such as an email system auto filling a wrong recipient’s name) and malicious incidents (such as actual data theft). While most insider breaches are caused by the former, the latter most worry IT professionals. In part that’s because the malicious actors have a greater negative impact — they hurt the company by, for example, taking the data to a new job or leaking it to criminals.

Human Error

An astonishing 94 percent of the organizations surveyed said they had an insider breach in the past year. Most (84 percent) were from direct human error, such as an accidental email or breaking security rules. The most common causes of accidental leaks, according to the survey, are making mistakes from rushing, not following security policies, lack of training and lack of effective security systems.

“The majority of real-world insider data breaches aren’t caused by bad people doing bad things; they’re caused by good people trying to get their jobs done,” the report quotes Rachel Wilson, head of cybersecurity at Morgan Stanley.

The good news is that almost all the employee respondents said they would report a breach, whether caused by themselves or by someone else. More than half of IT leaders said they rely on employees to alert them to incidents. The problem is that 89 percent of incidents led to repercussions for the involved employees. That may be why only 54 percent of employees think their organization’s security culture trusts and empowers them.

Innocent Mistake

That’s something to take into consideration. Preventing a nasty crisis like a data breach means having procedures in place for employees to report any suspicions or problems. But the study shows that a fair number of people (18 percent) lose their jobs after even an innocent mistake. It’s not a good idea to create a culture in which people are afraid to report breaches.

“The research highlights the importance of empowering employees — they want to protect their employer’s data, and it’s up to organizations to ensure that they’re building a security-positive culture,” Egress CEO Tony Pepper said in a press release.

Reading, England-based Arlington Research conducted the study for Egress by surveying 500 IT leaders and 3,000 employees in the U.S. and U.K. across vertical sectors.

Image Credit: Shutterstock

Sign up for our free weekly newsletter on crisis communications. Each week we highlight a crisis story in the news or a survey or study with an eye toward the type of best practices and strategies you can put to work each day. Click here to subscribe.

Related:New Book Offers Considerations for Communicating Data BreachesWhen It Comes to Data Breaches, Try a Little Empathy: Study