A company's own employees are a significant factor in the majority of data breaches, either through malicious activity or avoidable mistakes, say two new studies, but companies aren't doing enough to address this issue.
According to a recent survey by CompTIA, human error accounts for 52 percent of root causes of security breaches, while technology errors account for 48 percent.
However, human error ranks as a serious concern for less than a third of respondents.
"The main reason that companies exhibit a low level of concern over human error is that it is a problem without an obvious solution," said the report. "A high level of concern over malware or hacking can be addressed with an investment in technology."
But human error can only be addressed with training, and there are few metrics to evaluate the effectiveness of training, said the report, which was released just over a week ago.
Meanwhile, the SANS Institute released its own survey yesterday showing that negligent employees accounted for the majority of concerns that companies had about insider threats, more than malicious employees, and all contractors, clients, partners and other affiliates combined.
But 32 percent of respondents said that they did not have the ability to prevent an insider incident or attack. A slight majority of respondents, 51 percent, said that lack of training was limiting their ability to deal with insider threats, 43 percent cited budget issues, 40 percent said they did not have sufficient staff, and 40 percent pointed to a lack of technology solutions.
Security experts were quick to suggest technical solutions to address the problem of both negligent and malicious employees.
"Our position has been that IT has been overwhelmed for the last decade trying to keep systems secure using essentially manual methods," said Philip Lieberman, president at Los Angeles-based Lieberman Software Corp.
He recommends that companies use more automated tools to manage access and credentials.
"Security awareness is a must, but it's a slow and difficult task, and as CompTIA study shows human error is still the largest factor behind security breaches," said Igor Baikalov, chief scientist at Los Angeles-based Securonix, Inc.
"The game changer," he said, "is continuous risk monitoring through automated analytics."
It can detect human error, reduce false positives, and lower incidence response times, he said.
"Humans were always considered to be the weakest point of the IT security chains -- and the more privileges they have, the more risk they pose to the corporate network," said Péter Gyöngyösi, product manager at Luxembourg-based BalaBit IT Security.
Gyöngyösi suggests that companies deploy technology that learns typical employee behavior patterns and then watches for anomalies, with the most attention paid to the employees with the highest priviledges.
Sign up for Computerworld eNewsletters.