The security problem no one wants to talk about

Article published in Version 2 | February 28, 2023

“90% of all data breaches can be traced back to user behavior. Many companies turn a blind eye. It’s simply a sore point,” says Kenneth Weber Andersen from digital consultancy VENZO.

The many data breaches we see around the world often stem from the same vulnerability. A vulnerability that is difficult to address for many companies, as the arrow points to the most valuable asset in a business: the employees. For Kenneth Weber Andersen, Senior Director and Partner at VENZO, there is no doubt about the problem.

“Analysis shows that 90% of data leaks come from users. This can be both intentional and unintentional. For example, it can be through document sharing or not knowing whether some files are confidential or not. For example, around 60% of users have sent sensitive data to the wrong person. We have to realize that the user is the biggest risk,” he says.

Security architect Simon Lorentzen from VENZO shares his colleague’s view.

“You don’t have to read many reports on data breaches to see the common theme: people make mistakes. In our work, we try to minimize that risk. It’s easy to manage a piece of confidential paper, but in a digital world, it’s harder for users to manage file sharing,” says Simon Lorentzen.

“There is no moat deep enough anyway”

To get closer to the unintentional errors, Simon Lorentzen tackles the root of the problem. There are two things that should pave the way for a solution. The first is to classify your data within the company.

“Setting up governance lists with data classification and retention policies is always relevant in an organization. It’s a secure solution that is fundamentally about protecting IP rights, organization members and minimizing data leaks. But the human margin of error never goes away,” he says.

Even if all data is mapped and put behind the right security measures, security is only as strong as the people who use it. And addressing those issues can be difficult.

“There is a barrier in talking about internal threats. It’s easier to talk about external dangers. You can never just secure the outer perimeter. There’s no such thing as a deep enough moat anyway. You also need to secure the inner lines. The solution is not to implement a lot of employee monitoring. It’s about using the data you already have and using it properly, looking at both behavior and traffic,” says Simon Lorentzen.

Danish work culture gets in the way of safety

Denmark has its own culture when it comes to cyber security. This can be an obstacle to covering the gaps that can occur in a digital defense.

“We are very trust-based here in Denmark, and a conversation about safety quickly becomes a school/home conversation with a slightly too good atmosphere and a fear of saying unpleasant things. We are very afraid of making each other suspicious and making the conversation uncomfortable,” says Simon Lorentzen, who does, however, have a suggestion on how companies can overcome the challenges.

He believes that we need to use the existing data points to learn more about user behavior. He breaks down data breaches into 50% mistakes, 20-30% hacking and the rest are error events. It’s the people who need to be made aware to minimize the majority of the challenges.

“I think compliance training is a very effective tool. Not everyone knows all the rules and people basically want to be virtuous people. Especially at work. That’s why it’s only good to teach and point out where there is a risk of mistakes. It may seem like an educational thing, but that’s not the intention, and people are very receptive to guidance,” says Simon Lorentzen.

Data is a work tool

For Kenneth Weber Andersen, security shouldn’t overshadow access to data, but you have to think carefully. Rules and guidelines must be the framework within which the company works.

“Data and especially all SaaS solutions are very much about productivity, and it’s about being able to access company data. In many places, old-fashioned “moat tanks” with VPNs and corporate PCs make it difficult to use and take away productivity gains. If done right, productivity and flexibility can be increased while increasing security. To minimize risks, granular data protection rules can be created for different scenarios. For example, when you’re on a public network or on your private devices, you can only read data and not download, print or edit data. At the same time, you must of course secure your clouds, as this technology introduces a number of surfaces to attack,” says Kenneth Weber Andersen.

In combination with digital security systems that look closely at changing behavior based on an established baseline, educating users will solve a large part of the problem. The interaction is the solution.

“We must strive to build common sense and skepticism into users. We need to give people the tools to be critical and think for themselves. All it takes is one employee to click on the link in a phishing email and we’re in trouble. That’s where the systems come in and take over firefighting. Security must be top of mind,” concludes Kenneth Weber Andersen.