“Employee error” turns out to be the most common reason for a data breach at companies, according to a new cybersecurity report released Wednesday by the Association of Corporate Counsel. This means the breach occurred as the result of a mistake the employee made, such as accidentally sending an email with sensitive information to someone outside the company.
The report, which contained survey responses from more than 1,000 in-house lawyers in 30 countries, found that 30% of breaches this year occurred as a result of employee error. Other common reasons for a breach included unauthorized access by insiders intending to steal company data and phishing attacks, when third parties send spam emails designed to trick employees into giving up their personal information.
The findings highlight how easy it is for cybercriminals to take advantage of negligent employees. For instance, hackers in a recent case allegedly stole information from newswire companies by sending phishing emails to employees and then put that information on overseas servers for financial traders to access.
Lawyers in the healthcare industry reported the highest number of breaches, followed by insurance, manufacturing and retail, according to the survey. Experts have said health companies are especially vulnerable because they hold sensitive information, including people’s prescriptions and illnesses, that would be valuable to hackers.
Although cyber risk has traditionally been handled by companies’ IT departments, the survey found that most in-house lawyers expect their role in cybersecurity to increase next year, despite the fact that only 10% of lawyers surveyed had a portion of their budget allocated explicitly to cybersecurity.
Half of the survey respondents said their company has cybersecurity insurance; among those, 68% had coverage valued at $1 million or more. Of the lawyers who have experienced a breach, only 19% said their insurance policy fully covered the related damages.