Consumer Affairs 06-28-06 Survey: Employees Are Biggest Threat To Data Security By Martin H. Bosworth ConsumerAffairs.Com An audit finds that the biggest risk of data breach or theft comes from careless employees or consultants who don't properly secure the data they are entrusted with. The audit, conducted by the Palisade Systems network and data security company, surveyed companies that had reported data breaches or thefts in the past year to the nonprofit Privacy Rights Clearinghouse, and reviewed their security policies and procedures. According to Palisade Systems' audit report of the 126 companies surveyed, over 54 percent lost data or suffered a breach due to employee error, with 34 percent being due to outside hackers or other intrusion attempts, and the rest due to other causes. Dr. Doug Jacobsen, Palisade founder and director of Iowa State University's "Information Assurance Program," claims that there isn't enough content filtering or monitoring technology designed to pick out specific bits of data and prevent them from being transmitted. This technology -- which Palisade specializes in -- would enable employers to better monitor data their employees send out, and prevent them from circumventing security measures designed to protect against outside intrusions. "All of sudden, employers are realizing that the biggest security threat they face to the sensitive data they are storing and/or sending is now coming from employees who can't get caught by the millions of dollars of security technology designed to prevent the bad guys from getting in," Jacobsen said. "If employers are going to prevent and stop their customers' sensitive data from falling into the wrong hands, they seriously need to consider investing in content monitoring and filtering technology." According to the Privacy Rights Clearinghouse, over 88 million Americans have had their identity endangered as the result of data breaches between February 2005 and June 2006. The total includes all instances of reported data theft, both physical and electronic. The Government Accountability Office has issued multiple reports emphasizing the dangers of letting third-party contractors handle sensitive data such as individual Social Security numbers. Private contractors are not bound by the same rules as government agencies, and often will have greater access to data with less accountability. Although content management and security tracking may do more to prevent the transmission of secured information electronically, it does not prevent physical theft or loss of stored data. The most prominent cases of employee-based data breaches in recent months have been due to laptop theft or loss, such as the Veterans Administration data breach, caused when an unidentified analyst took the records of 26 million veterans and personnel home with him and then reported that a thief burglarized his home, stealing the laptop the records were stored on. Many other data breaches have not been caused by employee error, but by lax security policies and lack of oversight, or by businesses improperly storing data without protecting it. The multiple breaches of information records at Ohio State University were made possible by the university collecting information on people, often without their consent, and failing to secure known data vulnerabilities for over a year.