How You're Putting Your Company at Risk for a Data Breach
Sorry to be the one to give you the bad news, but you might be the reason your company's network was breached.
"Well-meaning insiders represent a weak link in the security posture of many organizations," said Robert Hamilton, senior manager of product marketing with Mountain View, Calif., anti-virus giant Symantec. "Few employees seem to realize the critical role they play in keeping information safe."
Symantec recently joined forces with the Ponemon Institute to conduct a study, the report of which was released last month as "2011 Cost of Data Breach Study: United States."
One of the study's findings was that employee negligence is a factor in 39 percent of data breaches.
"Employees continue to put information at risk in the course of doing their jobs. For instance, they remove information from company systems without permission so they can work from home or take information to an off-site meeting," Hamilton said.
"What's more, employees are removing sensitive information by insecure means such as uploading files to staging sites, emailing information to webmail accounts or third parties and putting data on an unencrypted USB stick or external hard drive," he added. "In the simplest terms, employees do the wrong thing for the right reasons and, as a result, they are the most frequent cause of data breaches."
While some companies may have a malicious insider who willfully puts the entire firm at risk, the majority of insider-related breaches are done by accident.
"It's hard to protect a business against human error," said Geoff Webb, director of product marketing with Dallas-based data-protection company Credant Technologies. "Employees will often copy information onto a device, perhaps one they've brought in from home, to move to another system or to take home to work on over the weekend.
"What they don't do, unfortunately, is ensure that the information is destroyed after it's been moved," Webb added. "So more and more data gets left on what is essentially an untrackable storage device — a recipe for a breach.
"Worse, as these devices continue to fall in price and grow in storage capacity, there's less and less reason to worry either about cleaning files off them or giving it a second thought when you leave it in your hotel room or in the back of a taxi."
One of the biggest problems is that the majority of employees don't realize that they even play a role in corporate security.
"In a survey of 3,000 office workers in North America and Europe, Symantec found that 78 percent think their IT department is solely responsible for protecting information," Hamilton said. "Employees don't understand their role in data security, or they may view the company's security policies as a hindrance to their jobs."
Your boss needs to get on board
However, employers aren't exactly innocent bystanders in the security game, either. When it comes to security education, many companies are doing only the bare minimum to keep employees informed. The truth is that employers and security teams need to step up their game, too.
"Even with loads of training, it's been demonstrated time and time again that [employee] behavior doesn't change much," said Josh Shaul, chief technology officer at Application Security, Inc., a New York-based provider of database security.
"Education is an important part of any info security program, but putting the burden of security on all the employees isn't the right approach," Shaul said. "Security teams need to leverage technology as much as possible to eliminate the human factor in this security equation."
Basic flaws – and basic fixes
According to Hamilton, there are three fundamental ways employees put confidential data at risk, and steps employers can take to help lessen each.
Risk 1: Employees take their laptops home or use removable storage devices.
The fix: Encrypt laptop hard drives, and enforce the use of encrypted removable storage devices in combination with security awareness training.
Risk 2: Employees email copies of confidential data to their personal email accounts.
The fix: Monitor outbound corporate email, and use data-loss-prevention software to send an automatic reminder to the sender when it sees confidential data leaving the organization.
Risk 3: Employees upload data to cloud-based file-sharing sites that are outside of the control of the company.
The fix: Monitor uploads using data-loss-prevention software, and use the same reminder capability to help users understand when they may be putting confidential data at risk.
And if a company doesn't provide much help with security, there are a few basic steps that every employee can take on his or her own, Webb said — such as knowing the following:
What constitutes a strong password — especially the fact that longer passwords are far more secure than even random-appearing short ones.
How to manage passwords — that is, to not use the same password for your home email as you do for your corporate account.
Exactly which data is sensitive and could be damaging if exposed.
"There's no point [in] training people to be careful if they don't know why," Webb said.
How to handle sensitive data — especially the special requirements for copying and transporting information.
How to spot (and avoid) social engineering techniques that can be used against employees.
"Don't assume someone has a right to access just because they tell you they do," Webb said.
What employees should do if they suspect a co-worker is up to something. In many insider attacks, other employees know something is going on long before the business itself does.
"It really comes down to a few basic things, especially being aware of the information that you're handling," Webb said. "Most employees shouldn't spend their time worried about programming rules for their organizations' firewalls.
"But at the same time," he added, "if they simply walk out the door with a CD full of customer records and then leave it on the train, all the high-tech (and therefore expensive) network security tools in the world aren't going to keep the business out of the headlines."