Who is Responsible for Data Breaches?

When a business suffers a data breach, you can be sure the fingers start pointing. The group currently in the cross hairs is 18-24 year-old employees; some believe for good reason – others not so much. For sure the desire to blame is there. A recent study report by Centrify offers up some disturbing facts about next-generation employees and their cybersecurity practices – or lack thereof. The study also involved senior decision makers and the clear deficit of cyber education for their employees. It may be a chicken or egg-first blame game, but the end result is data breaches continue to occur.

Blaming Next-Gen Employees

The Centrify survey finds “Over one third of decision makers (35%) believe that younger employees are mostly to blame for workplace data breaches. 37% of decision makers said that younger workers are too relaxed about security measures.” To complicate the issue, social media addiction of 18-24 year-old employees adds another layer of security risk for employers. Over 13% of next-gen staffers admit regularly using social media at work, often posting personal updates to their accounts. That one fact opens a Pandora’s box of security issues for employers. Social media posts can undermine a company’s security, although 18% admit they’re aware of that risk but do it anyway – with 21% not worried about it at all.

Beyond social media, the major concern for 67% of managers is next-gen employees opening phishing emails and malware-laced links. Concerns for 58% are also that those employees remove company data via email or USB key and then put that data onto personal devices. That leaves company security flapping in the wind, subject to the personal cybersecurity practices of employees outside of work. These concerns are legitimate for any employer about personnel in any age group. However, the study finds next-gen staff behavior doesn’t support these particular concerns. It finds only 10% of next-gen click on suspicious links, and only 7% removed data from the company.

Blaming Employers

Here’s where the finger pointing returns to employers. The survey finds “One in five companies is failing to provide next-generation workers with clear guidelines on basic security issues such as appropriate use of workplace devices and management of data.” That also includes poor password policies with only 40% of companies requiring regular password changes. After years of successful breaches and hacks – sometimes caused by employee missteps – there’s really no excuse for not requiring ongoing employee cyber education. Hackers are constantly finding new ways into data systems and their methods keep changing. Keeping employees continually aware of hacking trends is as critical to cyber-resilience as maintaining updated system security.

As long as breaches continue, one can bet the fingers will continue to point. In reality, the blame game does nothing to actually bolster a company’s cyber-resilience. Common sense says stop blaming and start doing. Employers need to embrace ongoing cyber education for all employees, not just for next-gen. Employees need to heed the warnings and step-up by making them everyday practice at work. Maybe then the finger pointing will go to where it’s truly deserved – at the hackers.