Data breach trends -- progress, challenges, and what's next [Q&A]
Despite organizations putting in place better security controls the pace of data breaches shows no signs of slowing down.
We spoke to Jon Fielding, managing director, EMEA at Apricorn, to discuss the latest data breach trends, the progress that's been made and where more work is needed to address security threats.
BN: How have employee behaviors contributed to data breaches, and what steps can organizations take to mitigate these risks?
JF: A recent Apricorn survey identified the top causes of data breaches as phishing attacks (31 percent), unintentional insider data loss (30 percent), and ransomware (29 percent). These statistics highlight that employee actions, whether intentional or not, remain a significant driver of breaches. Worryingly, over 60 percent of IT security decision-makers also anticipate that their remote workforce will cause a breach in the near future, signaling ongoing concerns about human error, negligence, and insufficient cybersecurity awareness.
Organizations need to prioritize employee training and enforce strict security policies to limit human error and should be enforced at a technical level wherever possible.
Education and awareness programs for all staff and third-party contractors are essential. Organizations should review all existing security processes against compliance guidelines and best practice and identify the gaps, putting a plan in place to address these areas. This might involve creating or amending security policies for example.
BN: How can businesses enforce these policies?
JF: Implementing and adhering to corporate processes and security policies is often easier said than done. While it is impossible to secure every line of attack, organizations can reduce potential risks and impacts by combining the right technology with comprehensive employee education.
Policies alone are not always enough, employees may ignore them or fail to fully understand their importance. However, when businesses invest in effective tools and ongoing security awareness, they can persuade their workforce of the value these measures offer, ultimately strengthening their security posture.
A pressing concern is that many organizations still struggle to enforce their security policies. Our survey found that 34 percent of businesses have no way of enforcing security strategies for employees using their own IT equipment for remote or mobile work. This reveals a significant gap in the protection of sensitive data, especially as hybrid working has become the norm.
To address this, organizations need to implement security policies that are both appropriate for the device in use and the sensitivity of the data being accessed. A blanket approach could stifle personal productivity without improving security. Instead, organizations should take a risk-based approach, tailoring security measures to the specific needs and roles of their employees, ensuring that workers are protected without being overly constrained.
Organizations should prioritize and identify a corporate standard for secure USB storage and mandate its use. This can be enforced through technical controls that whitelist allowable devices that can be plugged into the USB port, blocking all non-sanctioned devices. This removes the decision from the employee, protecting corporate data without affecting their productivity.
Another way to improve adherence to security policies is through regular, comprehensive security awareness training. This training must be specifically designed to address the unique challenges of remote work, equipping employees with the skills and knowledge needed. Beyond a one-time course, regular refreshers and interactive sessions can reinforce the importance of compliance, helping employees recognise phishing attempts, respond to potential threats, and avoid risky behaviour like using unsecured networks and devices.
BN: What areas still need improvement to better address these security challenges?
JF: While security controls are improving, gaps remain in employee training and technology access. The survey revealed that 73 percent of remote workers lack the skills and tools necessary to fully protect company data. Even when workers are willing to comply with security policies, inadequate technology, such as relying on unprotected devices, leaves sensitive data vulnerable. The frontline of defense is to mandate encryption of all corporate data, including personal and sensitive data, as standard.
BN: How has trust in employees impacted organizational security?
JF: Trust in employees has been eroded, with 63 percent of IT and security leaders expressing concern that remote workers could expose their organizations to security risks. Alarmingly, 55 percent of remote employees have knowingly put corporate data at risk in the last year. This points to gaps in security awareness or deliberate risk-taking by employees. Organizations are responding by enforcing stricter security measures, but the root cause, improper handling of sensitive information, must be addressed with training, oversight, and better security tools like encrypted devices. Encrypted USBs and hard drives ensure that sensitive data is automatically secured, reducing the risk of breaches when employees handle data outside of secure environments.
BN: What progress have businesses made in response to these data breach risks?
JF: Despite the rise in employee-related risks, businesses are making headway. The survey noted a 33 percent increase in organizations installing security software on remote worker devices, a vital step in securing endpoints against threats. Furthermore, the practice of self-reporting breaches to authorities has grown significantly. In the UK for example 53 percent of businesses are now voluntarily notifying the Information Commissioner's Office (ICO), up from 40 percent last year. This shift toward greater transparency and accountability suggests that organizations are taking their breach response obligations more seriously, an important element of building a robust cybersecurity framework.
BN: Is there any good news in terms of how organizations are handling data breaches?
JF: Yes, there is notable progress in breach reporting and response mechanisms. Fewer organizations are being reported to regulatory bodies by external parties, and more are self-reporting breaches, showing a proactive stance. This increased level of transparency and accountability is a positive sign that businesses are evolving. As organizations take on a more proactive approach to incident response, they are better equipped not only to prevent breaches but also to recover from them efficiently, reducing the long-term impact on operations.
BN: What steps should organizations take next to enhance their security efforts?
JF: Organizations need to bridge the gap between trust and employee capability by continuing to educate their workforce on best practices while also providing the right tools to secure data.
Solutions like encrypted USB drives can protect data at rest and in motion, ensuring that employees can work securely even outside the corporate network. By integrating these technologies into everyday workflows, organizations can ensure that security is seamless, reducing the burden on employees while still protecting sensitive information.
These steps, coupled with strong employee education, will bolster overall resilience and limit the chances of a potential data breach.
Image credit: Rawpixel/depositphotos.com