Two recent surveys confirm long-standing claims that malicious or negligent employees are the major cause of data breaches. In one survey, CompTIA found that human error accounts for 52% of the root causes of security breaches, even as only a third of survey respondents viewed it as a serious concern. The other survey, by the SANS Institute, found that negligent employees accounted for the majority of the concerns that companies have about insider threats, more than malicious employees, and all contractors, clients, partners and other affiliates combined. A similar drum beat emerged at the annual RSA security conference in April, where the single biggest IT security threat was identified as employees tricked by social engineering tactics, such as phishing emails and fraudulent phone calls, into revealing personal and corporate information. Verizon's 2015 Data Breach Investigations Report also found that malicious email attachments and links were one of the most common attack vectors used by cyber spies.
Vulnerabilities posed by employees are scarcely news. A search of my own archives show that back in 2004, Gartner predicted that social engineering would be the greatest security threat over the next decade, ahead of electronic hacking. Nevertheless, amidst the continual barrage of reports of data breaches, how many organizations can affirm with any confidence that they have trained their employees to deal effectively with social engineering tactics? That they have tested their employees through actual phishing attempts and found them up to the challenge? Is there any defensible excuse or explanation for not training and testing?