Employees Cause Most Corporate Data Loss

According to a new study (PDF, info required) from Compuware, IT departments should take a bow—only 1 percent of corporate data losses this past year were due to hackers. Unfortunately, the good news mostly ends there. Negligent employees are far and away the largest cause of data breaches, but IT managers also listed outsourcing and malicious employees (possibly ex-employees as well, one assumes) as two significant reasons why data breaches often occur.

Security threats have been and continue to be ignored by corporations and institutions, despite a laundry list of laws that mandate data be kept safe and private. This is most prevalent in smaller private companies and institutions, were unfortunately management just don’t care.

I have been in many potential “whistle blower” situations and gone to great lengths to explain imminent dangers, their fixes and the law. Unfortunately since my interpretation of the law goes against management’s self-indulgent wishes, the risks persisted.

It is a well known fact that even though a good perimeter firewall/IDS combination will deter most attacks, the probability of attacks originating from within and thus defeating the firewall, more than double threats from outside the network.

Whether its an infected laptop from a visitor, a key-logger on an administrative system or a disgruntled employee engaging in a deliberate attack; the potential for a security breach from inside the network is much more likely.

Several steps must be taken in order to protect the data and all revolve around taking information security serious.

  • Training, Training, Training
    In my experience one of the biggest security risks anywhere is the lack of understanding regarding computer systems and the technical aspects of data security. Users are told how important “safeguarding” data is, but not technical reasons for why data should be stored in a specific place.
  • Network Access Control
    Not knowing who is on your network is like not knowing who is in your building. Let’s ponder about this statement a little more. How valuable is client information, customer credit cards or social security numbers? Is it as valuable as money? Would you leave money laying around? Would the money be in a safe or vault?
    Wouldn’t it be important for you to know who is near or in the safe?
    I would be willing to bet what I would hear from a network admin, if I asked who/what is on your network. An empty stare with “Sounds of Silence”.
  • Policies and Procedures
    Here’s a novel idea. Let’s put all the money in the bank vault and not leave it in drawers or on desks!

    The best chances of protecting something are achieved if its all in one place. Remember, security is only as strong as the weakest link. In order to accomplish this outcome, confidential data should not be stored on individual computer systems and as computer equipment leaves the company any remaining data must be erased.
    A popular application to deal with this is Identity Finder, which scans your PC for confidential information including credit card, Social Security Numbers, etc. giving you the capability to permanently delete it from the hard drive.

Identity theft statistics point to over 226 million data records of U.S. residents having been exposed due to security breaches since February 2005, which is extremely alarming.

The most common forms of identity theft:

  • Credit card fraud (25%)
  • Phone or utilities fraud (16%)
  • Bank fraud (16%)
  • Employment fraud (14%)
  • Government documents/benefits fraud (10%)
  • Loan fraud (5%)