Posting in Education
The greatest threat to data security is slackers, not hackers, a new study by Ponemon Institute and Symantec finds.
Data security is a vexing problem for companies, with threats coming from all directions. But it appears many are finally learning to mitigate these threats. In fact, the average cost of data breach has actually declined, a just-released report from the Ponemon Institute and Symantec reveals.
For the first time in seven years, both the organizational cost of data breach and the cost per lost or stolen record have declined. The study, which examined 49 data breach cases with a range of nearly 4,500 to 98,000 affected records, found the average cost per affected record declined from $214 to $194. The organizational cost declined from $7.2 million to $5.5 million.
Still, this is no time to sit back and celebrate.
There is a huge Achille's Heel in data security, and that is insiders with privileged -- and often unmonitored -- access. The greatest data security vulnerability is slackers, not hackers, the survey finds. Thirty-nine percent of companies said insider negligence was the root cause of the data breaches. Most breaches occur because of employee mistakes and lax operating procedures. As companies grow, many fail to put training and protocols in place to safeguard data. Others delegate data protection to the IT department, which does little to protect against human error, the Ponemon report claims.
These results align with a study I helped author on the subject, conducted as part of my work with Unisphere Research, a division of Information Today, Inc., and sponsored by Application Security Inc. The survey polled 524 enterprise IT and data managers, and the results reveal that the greatest challenge to database security may actually come from organizational issues, rather than nefarious or accidental acts. Six out of ten respondents blame "human error" for their data security breaches, and 45% blame fraud and abuse by insiders, such as employees or contractors. IT may be hamstrung by lack of management urgency or support.
The Ponemon-Symantec study points to the impact of lax management and policies. Frequent lapses in data security include lost or stolen laptops, flash drives, and mobile devices. Employees are negligent in their behaviors and fail to password protect, encrypt and/or delete data from their devices. In addition, mis-mailing of information to the wrong recipient also is a problem. Whether via email or mail, sending information to the wrong recipient is a leader in identity theft and data breach cases. Employee theft or loss of physical documents, back-up tapes, and data is also a problem. Many employees take their computers/mobile devices off-site where they a) loose them and b) work in unprotected settings and faulty networks.
My colleague Heather Clancy just posted details of an identity-theft scam involving the filing of fraudulent IRS returns with stolen Social Security numbers. It's likely these numbers were lifted by insiders within businesses and doctors' offices.
There is some good news, as noted above. The cost per incident has actually gone down a bit for companies, which Ponemon credits to increasing vigilance among some companies. For example, companies with a dedicated security executive tend to reduce the average cost of a data breach as much as $80 per compromised record.
Still, data breaches are costly for most companies. For example, organizations that had their first ever data breach spent on average $37 more per record. Those that responded and notified customers too quickly without a thorough assessment of the data breach also paid an average of $33 more per record. Data breaches caused by third parties or a lost or stolen device increased the cost by $26 and $22, respectively.
The best approaches? Auditing data log files is fine, but only catches incidents after the fact -- sometimes long after the fact. Data encryption and masking will help prevent unauthorized viewing of files. Also, as noted above, when management gets on board, and education is provided, the problem can be controlled.
Ponemon's U.S. Cost of a Data Breach Study took into account direct business costs, including engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished acquisition rates.
(Photo by Joe McKendrick.)
Mar 20, 2012
On UNIX systems, a malicious person could set up a security trap easily, and through that trap, the person could add false transactions to financial database or cause all files to be removed from the machine once that trap got triggered by a unknowing and innocent person. WZIS Software's WZFileGuard could help to detect most of the traps and prevent them to be triggered.
WZIS Software has a very specific solution for reducing the data breach did by internal people: when you want to have a person to transfer a file which contains the customer account information from one UNIX machine to another, how could you prevent that person from seeing the content of the file? The solution provided by WZIS Software is very secure and that person can do the file transfer for that specific file only, and not others, and not able to read the file. The solution is presented in the "case study" at www.wziss.com
"Others delegate data protection to the IT department, which does little to protect against human error." In-house developed systems aside for the moment, most breaches occur in ERP and accounting systems purchased from major software vendors. With the exception of DataBase and other server security, IT departments should not be tasked with access control to these information systems. Lack of governance (management guidelines) for regulating access to information, nobody tasked with security administration (aka access control) to these systems knows what data to protect, nor how to properly protect that data. This is a highly complex challenge, requiring education across the entire organization, so that everybody knows what's at risk ($$$$$) and what they must do to protect the company against avoidable financial losses. When I worked at Oracle as an Information Security Professional, everybody with a computer had to periodically undergo computer based training and certification regarding security, the same way so many corporations (Oracle included), require employees to periodically undergo training related to harrassment in the workplace and ethics, etc.
Agreed, and I found in my research that IT managers are quite aware of the issues, but don't get the support needed from management, in terms of budget or staffing resources. One respondent to my survey even came right out and said that instead of investing in data security, his management considered it cheaper to just let an incident happen and patch it up afterwards!