I’ve heard some CISOs say that mistakes by their people is their organization’s greatest information security risk. I wasn’t so sure.
Because of my current role as an outside consultant, I spend a fair amount of time monitoring the external environment and there is currently a great focus on external malicious attack. This is probably because it’s (1) easier (and more fun) for news outlets to report, (2) because of the wide consumer impact it directly affects more people, and (3) it appears to be more costly.
So, I did a little digging and here are a few stats from two current sources that I found on the topic.
For example, figure 5 on page 8 of the Poneman research entitled “2014 Cost of Data Breach Study: Global Analysis” shows this distribution of threats:
- Malicious attack: 42%
- Human error: 30%
- System glitch: 29% (includes both IT and business process failures)
Here’s the graphical view from the same report:
By combining the threats of errors and glitches you get 59%, so Poneman’s research says malicious attacks are a minority threat.
And, the 2015 PWC cybercrime survey showed (page 13) that “Employees are the most-cited culprits of incidents.” This is confirmed in the 2016 edition of the same report which found that “the estimated likely source of security incidents” was current employees at 34% and former employees at 29%. Here’s a visual depiction from their 2016 report:
So, do you think errors are a greater digital risk than cyber attack? Got any data to the contrary?