The new BakerHostetler report on data security incidents says that human error was the largest cause of data security incidents, accounting for 36%. Their finding is consistent with the new Ponemon report that also puts employee error as the number one cause, at 39%
But then you read RBS’s report on 2014 breaches where they say that 67% of breaches were due to hacking, and maybe you scratch your head. And you read HealthITSecurity.com, who report that hacking is currently the leading cause of breaches in the health care sector, according to HHS’s breach tool.
So who’s right? Those who say that insider error is the biggest single factor, or those who say that hacking is?
The problem with HealthITSecurity.com’s statement can be explained by the way HHS codes incidents. It may be that the 30 of 92 incidents coded as “Hacking/IT incidents” could be mostly IT incidents such as exposure on the Internet due to human error. Then again, some of the “hacking/IT incident” numbers are currently inflated by the fact that the breach tool not only includes Anthem’s reported breach, but it also includes reports from entities affected by the Anthem breach (and presumably already included in Anthem’s numbers), thereby double-counting some incidents and records. This blogger has frequently lamented the difficulties in using and making sense of the public breach tool due to its confusing coding and system.
As to the RBS report, well that may be a tad more complicated to explain. RBS includes hacks that show up on paste sites, and there are a lot of those. In contrast, small human error breaches generally don’t make the media and are not posted to paste sites. So there’s more information on hacks than on employee errors. That’s just one factor to think about, and there are others that may also help explain why their estimates of hacking incidents may remain higher than other sources.
The differences in the findings are not unimportant, either. If an entity is trying to decide where to invest their security budget and resources, it may make a difference whether the biggest threats are inside or outside, right?
In the meantime, every time a new study comes out, I take a breath and wait for the headlines and bullet points from those who often haven’t drilled down into the sampling and methods used. Then I just go throw up my hands and head for the coffee pot.