According to the latest study from the Ponemon Institute, 88% of all breaches in 2008 were the result of negligent insiders.

That’s not to say that our employees are malicious – most are basically good people. But you didn’t hire them to be security experts. The care and justifiable suspicion needed to detect and deflect data breaches do not come naturally to most people. They need constant reminding of the importance of security and of the tactics to protect your customers’ data.

According to the Ponemon report, here are the top risks your staff take with your data.

Not protecting personal equipment. Stolen laptops and other portable media accounted 20% of all reported breaches. Make sure that your team understands that they are personally responsible for the device and the data on it.
You can also reduce your exposure to lost equipment through whole-harddrive encryption or by restricting or segmenting the data on the laptop such that customer names can not be tied to identifiers such as SSN or credit card number.

Trusting insiders too much. While most people are basically good, every company has it’s share of disgruntled staff. Insider theft is relatively rare but tends to be very severe when it happens. Pay attention to changes in behavior or attitude. Most insiders showed clear signs of their dissatisfaction well before beginning their crimes. Watch for unusually heavy uses of your databases or other information systems.
Minimize your exposure by setting role-based permissions for your team members based on their business need to the application or data. If they need it for their job, great – if not, take it away. That’s less risk for both of you.

Bypassing your security controls in the name of efficiency. The next largest category of breaches are the result of well-meaning insiders who are trying to improve the company but who don’t understand the implications of the change they are making. The store manager at TJ Maxx who installed his own wireless router is a classic example. He thought he was increasing the flexibility of his operations. His poor security configuration, however, exposed the company’s entire network to any hacker with a wireless laptop in the parking lot.
Never let anyone but your designated IT staff install equipment or make changes to your systems. And have their changes regularly tested.

Bypassing your security controls in the mistaken belief that it’s their computer. It’s not. It’s the company’s computer. Have a firm policy that they can not install peer-to-peer or other high risk software on the computer. Incidental personal use may be okay. Installing software is not.

Not watching your vendors as closely as you watch yourselves. According to the study, you should be watching your vendors far more closely. Breaches by outsourcers, contractors, consultants and business partners accounted for 44% of all breaches reported in 2008. Statistically, they were also more expensive, costing the company 35% more in direct and indirect costs than an equivalent breach of the company’s own systems. Vet your vendors carefully and set clear expectations on your security needs. Then follow up and check on their security practices. Conduct your own audits and ensure their compliance.

There’s a lot more in the Ponemon study worth reading. This is their fourth annual study of the costs of a data breach and the trends are enlightening. You can download a copy at

Leave a Reply