Consumer Affairs 06-28-06 Survey: Employees Are Biggest Threat To Data Security

Consumer Affairs
Survey: Employees Are Biggest Threat To Data Security
By Martin H. Bosworth
An audit finds that the biggest risk of data breach or theft comes from careless
employees or consultants who don't properly secure the data they are entrusted
The audit, conducted by the Palisade Systems network and data security
company, surveyed companies that had reported data breaches or thefts in the
past year to the nonprofit Privacy Rights Clearinghouse, and reviewed their
security policies and procedures.
According to Palisade Systems' audit report of the 126 companies surveyed, over
54 percent lost data or suffered a breach due to employee error, with 34 percent
being due to outside hackers or other intrusion attempts, and the rest due to
other causes.
Dr. Doug Jacobsen, Palisade founder and director of Iowa State
University's "Information Assurance Program," claims that there isn't enough
content filtering or monitoring technology designed to pick out specific bits of data
and prevent them from being transmitted.
This technology -- which Palisade specializes in -- would enable employers to
better monitor data their employees send out, and prevent them from
circumventing security measures designed to protect against outside intrusions.
"All of sudden, employers are realizing that the biggest security threat they face
to the sensitive data they are storing and/or sending is now coming from
employees who can't get caught by the millions of dollars of security technology
designed to prevent the bad guys from getting in," Jacobsen said.
"If employers are going to prevent and stop their customers' sensitive data from
falling into the wrong hands, they seriously need to consider investing in content
monitoring and filtering technology."
According to the Privacy Rights Clearinghouse, over 88 million Americans have
had their identity endangered as the result of data breaches between February
2005 and June 2006.
The total includes all instances of reported data theft, both physical and
The Government Accountability Office has issued multiple reports emphasizing
the dangers of letting third-party contractors handle sensitive data such as
individual Social Security numbers. Private contractors are not bound by the
same rules as government agencies, and often will have greater access to data
with less accountability.
Although content management and security tracking may do more to prevent the
transmission of secured information electronically, it does not prevent physical
theft or loss of stored data.
The most prominent cases of employee-based data breaches in recent months
have been due to laptop theft or loss, such as the Veterans Administration data
breach, caused when an unidentified analyst took the records of 26 million
veterans and personnel home with him and then reported that a thief burglarized
his home, stealing the laptop the records were stored on.
Many other data breaches have not been caused by employee error, but by lax
security policies and lack of oversight, or by businesses improperly storing data
without protecting it.
The multiple breaches of information records at Ohio State University were made
possible by the university collecting information on people, often without their
consent, and failing to secure known data vulnerabilities for over a year.