In this first article of a series we explore insider theft, related to data breaches, based on key elements of the Verizon 2011 data breach report. The number of 2010 data breaches exploded in companies with 11 to 100 employees. A key commonality is simply the opportunity was there.
The 2011 Data Breach Investigations Report (DBIR) is a study conducted by the Verizon RISK team in cooperation with the U.S. Secret Service and the Dutch High Tech Crime Unit.
Who is behind the data breaches?
- 92% external agents
- 17% implicated insiders
- < 1% business partners
- 9% involved multiple parties
How do breaches occur? ?
- 50% involved some sort of hacking
- 49% incorporated malware
- 29% physical attacks
- 17% from privilege misuse
- 11% employe social tactics
What commonalities exist?
- 83% were victims of opportunity
- 92% were not difficult
- 76% of all data was compromised from servers
- 86% discovered by a third party
- 96% were avoidable through simple or intermediate controls
- 89% of victims subject to PCI-DSS had not achieved compliance
End of excerpt. Continue reading for blog author comments.
A healthcare company stores credit card data on servers, unencrpyted. Their excuse? It’s not connected to the actual credit card processing and access is restricted so it’s not a PCI Compliance problem. See related article Shocking lack of payment processing security in healthcare industry. No data breach yet, but statistically, the company is at great financial risk, including up to $1.5 million fine for violating the HITECH ACT.
Employees at a car dealer tape passwords next to their computer and in the first unlocked drawer of their desk. Their excuse? It’s too hard to remember the password and they don’t acknowledge it’s a security issue.
Employees at a retail rental shop have a file folder in plain view of anyone entering the shop containing copies of drivers licenses and the front and back of credit cards. Their excuse? They didn’t know they couldn’t do it and didn’t know of an alternative method that would meet their needs to bill customers if they never returned with the goods.
Think these are exceptions? Businesses everywhere have these problems in some fashion. As each of these examples illustrate, employee training is essential. Industry wide, merchants are completing PCI Compliance Security Standards data worksheets. At that point in time, the merchant can be certified PCI Compliant. But without internal enforcement and training, the merchant is generally not compliant when a data breach occurs and thus is fully liable for all the associated fines, fees and damages.
In conclusion, the establishment of training procedures and distribution of data security expectations to employees is essential. Most employees are honest, right? But when companies have lax security policies, it presents an OPPORTUNITY for good employees to break the law.
Here’s three things you can do to mitigate internal employee risk:
- Create a data security training checklist for all employees handling sensitive data. Update the training and content quarterly or at least once per year. The employee cannot accept credit cards or any sensitive data until they’ve completed training, plus sign and date the checklist.
- Make data security a formal part of employee performance reviews. Require annual checklist review and signature at the time of performance reviews.
- Implement a reward system for identifying vulnerabilities of real life practices- whether people, software, or hardware.
Bonus: Implement a hosted payment processing solution with extensive tools to prevent internal fraud. Call for information.