Forget hackers, the fool next to you is the real threat

The most common threat to government data is human error rather than malicious hackers or code, according to an analysis of reported data breaches by the security intelligence company Rapid7. This is not necessarily good news for IT security professionals charged with keeping malware and hackers out of government systems. Rather it is a reflection that the boneheaded, like the poor, will always be with us.

Unintended disclosure was responsible for 29 percent of incidents reported by agencies over the last three years, putting it in first place in terms of number of breaches. In terms of number of records exposed, loss or theft of portable devices was number one, exposing more than 80 million records, for a whopping 86 percent of that total.

Hacking and malware came in well down the list, with 40 incidents exposing about 1 million records.

Causes for reported government data breaches

The data was culled by Rapid7 from the Chronology of Data Breaches maintained by the Privacy Rights Clearinghouse.

Progress is being made on the challenge of protecting data on portable devices that are easy to lose and attractive targets for thieves, however. These types of losses have declined since 2010, and the increased use of technology such as full-disk encryption is helping to keep sensitive data confidential even if the device disappears.

Protecting systems against malware and hackers is likely to remain a challenge regardless of shifts in the data threat landscape, said Rapid7 security researcher Marcus Carey. “Government agencies are going to be continually attacked by malware because there are people out there who want the information,” he said.

Because of the difficulty of gathering accurate statistics about the number and impact of data breaches, it probably is best not to use these numbers to identify anything but broadest trends, however.

Reader Comments

Mon, Nov 12, 2012 Tony Kern Colorado Springs

The cyber world is discovering what we learned long ago in aviation, that no matter how sophisticated the technology, human error remains the top threat. What they HAVEN'T learned yet, is that it can be fought with success. Vigilance, attention to detail, distraction control, and self-monitoring, are all skills taught in aviation that need to quickly migrate to the cyber world for all our sakes!

Fri, Sep 21, 2012 BaltFed

"I too am interested/concerned with the statement "boneheaded, like the poor, will always be with us." What DOES that mean? ... "

It means that no matter how much you try to solve a problem (like poverty) there will always be some part of the problem that remains. Or as I always say, "You can make things fool proof but not _damn_ fool proof." There's a similar statement about the Universe's ability to create bigger and better fools ...

Fri, Sep 21, 2012

Every time I see this "finding", I'm taken back to all my work in use error and human factors. The human part of any system is ALWAYS the weakest part. This is a proven scientific fact. Blaming the users is and saying they are the problem is pointless and won't solve the problem. A system needs to be designed to limit the risk of human error. Training won't do it, calling them stupid or bone-headed won't fix it. That's just pure laziness on our part. Aircraft and nuclear power are designed to minimize use error, medical equipment is making a tiny bit of progress. Of course, if IT is incapable of designing a system that limits the user effect...

Thu, Sep 20, 2012 Paul2

And I think the "boneheaded" piece is pretty self explanatory. Some of the breaches I've heard reported were serious Homer moments. People get complacent and stop thinking about what they are doing or don't even realize that extra security is needed. It amazes me that none of the security training seems to include some of the simplest measures like using encryption on emails for sensitive info. I've had folks that have worked in government for years that don't even know that capability exists. It doesn't help that even those responsible for setting rules for the secure transfers of data can't even agree on the best methods.

Thu, Sep 20, 2012 Cowboy Joe

While I understood the biblical reference immediately, it mighta' been better for our dear author to use a less erudite cliche ... somethin' like, "Y' cain't fix stupid." It might be a bit counterintuitive to some, but most people get the whole idea that stupor-stumblin' into somethin bad is a whole lot easier than plannin' t' make it happen. Compound that with the idea that it's easier to defend against somethin' rational than somethin' "random". No surprises here.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above