Gary Palgon
Vice President, Product Management
nuBridges
According to a report recently released by the data breach-tracking Identity Theft Resource Center (ITRC), there were 646 data breaches in 2008. That’s an astounding 47% increase over 2007. The greatest increase in data theft was a result of insiders siphoning off sensitive data. For example, 24% of all financial institutions’ data breaches in 2008 were caused by insider theft of sensitive information, while 16% of other businesses’ breaches and 20% of government incidents were attributable to employees or former employees. According to the ITRC, only 2.4% of all breaches had encryption or other strong protection methods in use and only 8.5% of reported breaches had password protection.
So, why the increase? Simple question, but there’s no simple answer. Let’s look at what’s fueling this surge.
- More disclosure laws are being passed by states, with Oregon, Wyoming, Massachusetts and Georgia recently implementing regulations requiring companies to inform their customers or employees when they’re data is lost or compromised. In other words, data breaches that once went unreported are now seeing the light of day.
- There are a growing number of large, well-funded organizations making highly focused assaults on large stores of critical data. These data thieves are no longer interested in just bits and bytes of electronic data. They’re focused on database farms where they can harvest data in bulk. According to the FBI, these attacks typically target large repositories of personal and financial information. Once stolen, data can be sold for anywhere from $8 to $22 per record.
- Data mobility via USB drives, laptops and other portable devices increases the risk of data being physically lost or stolen. Interesting stat that I came across recently – the Ponemon Institute estimates that business travelers lose more than 12,000 laptops in airports every week!
- Massive layoffs in the last half of 2008, which may have created scores of disgruntled employees with access to sensitive data, particularly in the financial industry, may have a lot to do with the increase in insider theft incidents. According to ITRC Director of Operations Rex Davis, thousands of laid-off bank employees control troves of bank codes and social security numbers. “They have access to the data, and they know how to use it,” says Davis, “Desperation is never a good thing.”
- Businesses don’t know where their sensitive data resides. I know of one company that told me they have three systems with credit card data, where in fact we found more than 30. In corporate emails; corporate portals or intranets; application databases; file systems and the like. If you don’t know where your sensitive data resides, how can it be protected? Perhaps sensitive data should be protected no matter where it resides, no matter where it’s in use.
- Cyber criminals are adopting more sophisticated techniques for breaking into businesses.
- Employees don’t understand the value of the data they work with or the number of ways that data could fall into the wrong hands.
Andy Greenberg (if you don’t read his articles on Forbes.com, you’re missing out on great insights into enterprise security, specifically data protection) wrote an article late last year on how to protect a company’s data. Following is an excerpt that really sums up the crux of the issue:
“. . . the old protection strategy of trying to harden the outside of companies’ networks to protect against hacker threats – what security researcher Bill Cheswick once called the ‘crunchy outside with a soft, chewy center’ approach – is giving way to a new strategy: safeguarding the data itself. Instead of trying to fortify the perimeter of the company’s network, some security technologies are aiming to evaluate the sensitivity of individual pieces of information and then apply security directly to movable chunks of information.”
Until next time,
Gary
