A survey carried out in the US and UK has found that 41% of employees have willingly taken corporate information. When one has a data breach due to accidental loss or theft, data protection solutions like full disk encryption can mitigate the ensuing developments. However, what can one do when the threat comes from the inside?
The survey takers worked in the financial centers of London and New York, which may account for the high rates of data pilfering (I know, unfair and uncalled for. But, I'm still ticked off about the global financial meltdown). Regardless, the numbers are quite surprising: 41% of the respondents have taken data from their jobs (85% of respondents knew it was illegal to do so) 33% would take data to help someone get a job 13% of workers would take usernames and passwords to use at a later date 57% of employees found it easy to take sensitive data, an increase from 29% last year Plus others, found at the cyber-ark.com link at the bottom. The following types of information were stolen, most popular to least: Customer and contact details Business plans and proposals Product details The above dovetails perfectly with the survey's findings that people are stealing such data to get an edge when procuring a new job.
The survey takers worked in the financial centers of London and New York, which may account for the high rates of data pilfering (I know, unfair and uncalled for. But, I'm still ticked off about the global financial meltdown). Regardless, the numbers are quite surprising:
Plus others, found at the cyber-ark.com link at the bottom. The following types of information were stolen, most popular to least:
The above dovetails perfectly with the survey's findings that people are stealing such data to get an edge when procuring a new job.
That 57% figure, about finding it easy to steal data, weighs on my mind. It could mean, for example, that companies have relaxed their data security controls over the past year. I find this unlikely. I don't mean to imply that there were no such companies. Rather, I find it dubious that so many companies decided to do so over the past year. Instead, another interpretation--and in my opinion, a more likely one--is that there were even more employees who have attempted to take sensitive data over the past year. In other words, the statistic represents a tremendous growth in employees engaged in data theft. Think about it: if companies don't curtail their data security expenses, but there is an increase in successful data theft rates over the previous year--meaning there wasn't enough time for a new technology to make past defenses ineffective--what other conclusion can one come to? Combine this with the fact that the economy has been steadily worsening, and it seems to me that this is the correct interpretation. This in turn implies that corporate data security in place last year was not adequate enough. It just appeared good enough because there weren't enough people engaging in data theft.
That 57% figure, about finding it easy to steal data, weighs on my mind. It could mean, for example, that companies have relaxed their data security controls over the past year. I find this unlikely. I don't mean to imply that there were no such companies. Rather, I find it dubious that so many companies decided to do so over the past year.
Instead, another interpretation--and in my opinion, a more likely one--is that there were even more employees who have attempted to take sensitive data over the past year. In other words, the statistic represents a tremendous growth in employees engaged in data theft.
Think about it: if companies don't curtail their data security expenses, but there is an increase in successful data theft rates over the previous year--meaning there wasn't enough time for a new technology to make past defenses ineffective--what other conclusion can one come to? Combine this with the fact that the economy has been steadily worsening, and it seems to me that this is the correct interpretation.
This in turn implies that corporate data security in place last year was not adequate enough. It just appeared good enough because there weren't enough people engaging in data theft.
Admittedly, it's difficult to prevent internal data theft. However, that doesn't mean that a company cannot minimize data breach instances. To begin with, data monitoring is necessary. If your employees know that the company is not monitoring its data, they are likely to engage in data theft. Even with monitoring, employees may attempt to steal data. However, overseeing improper data access will point out infractions; following up with such employees lets everyone know that the company is actively engaged in monitoring and leads to less people attempting data theft. Also, companies may want to engage in USB port control and blocking. According to the survey, saving information to USB memory sticks is the most popular way of stealing information. And why wouldn't it be? They're easy to carry, easy to hide, and easy to use. Plus, their capacity is increasing exponentially, while their costs are plummeting on a per byte basis. If a company decides not to engage in monitoring, the least it can do is prevent their employees from saving corporate information to personal devices. Changing passwords from time to time is also recommended. Obviously, accounts and passwords used by employees who've been let go should be disabled. However, in an office environment, passwords are shared, more often than one can imagine; hence, changing passwords is advisable. Last but not least, never forget that threats are everywhere. In other words, don't forego disk encryption just because you've decided to go gung-ho on internal security. External threats are not going anywhere either.
Admittedly, it's difficult to prevent internal data theft. However, that doesn't mean that a company cannot minimize data breach instances.
To begin with, data monitoring is necessary. If your employees know that the company is not monitoring its data, they are likely to engage in data theft. Even with monitoring, employees may attempt to steal data. However, overseeing improper data access will point out infractions; following up with such employees lets everyone know that the company is actively engaged in monitoring and leads to less people attempting data theft.
Also, companies may want to engage in USB port control and blocking. According to the survey, saving information to USB memory sticks is the most popular way of stealing information. And why wouldn't it be? They're easy to carry, easy to hide, and easy to use.
Plus, their capacity is increasing exponentially, while their costs are plummeting on a per byte basis. If a company decides not to engage in monitoring, the least it can do is prevent their employees from saving corporate information to personal devices.
Changing passwords from time to time is also recommended. Obviously, accounts and passwords used by employees who've been let go should be disabled. However, in an office environment, passwords are shared, more often than one can imagine; hence, changing passwords is advisable.
Last but not least, never forget that threats are everywhere. In other words, don't forego disk encryption just because you've decided to go gung-ho on internal security. External threats are not going anywhere either.
Related Articles and Sites:http://www.out-law.com/page-10546http://www.cyber-ark.com/news-events/pr_20091123.asp