What’s to blame for 90% of data theft

March 9, 2009 by
Filed under: Employee computer use, In this week's e-newsletter, Latest News & Views, Security and law 

Companies are losing increasing amounts of money because of data theft. And the cause behind most of those breaches may be surprising to HR pros.

The average cost to companies per incident of data theft in 2008 was $6.65 million, compared to $6.3 million in 2007, according to a recent report by PGP Corp. and the Ponemon Institute.

The total costs include loss of customers, legal fees and lost productivity while dealing with the issues.

The cause of those costly incidents? More than 88% were blamed on “insider negligence.”

In other words, those companies’ employees were to blame. Many cases involved actual theft by employees, the misplacement of laptops and other equipment containing sensitive files or insecure electronic data transfers (for example, an employee sending information to his personal e-mail address to view it at home).

To prevent those expensive mishaps, HR and IT should work together to create effective policies governing the use of confidential customer and company data.

Tags: , ,

Comments

One Comment on What’s to blame for 90% of data theft

  1. JParr on Tue, 10th Mar 2009 1:31 pm

    2. These three simple rules help significantly, and work regardless of (and usually in conjunction with) industry or regulatory requirements:

    1. Encrypt all mobile devices. Encryption hides the data from anyone who does not know the encryption key (a password or other factor used to gain access to the mobile device). Windows offers EFS (“Encrypting File System”) and there are whole-disk encryption technologies that are commercially-available (e.g. CheckPoint, McAfee) for relatively little cost, considering the cost of inadvertently disclosing data stored on a stolen mobile device. Devices such as laptops, cell phones, blackberries, Windows Mobile devices and the like should be supplied by the company, and should be using company-supplied encryption software. All cellular mobile devices used for business should be supplied by the company and maintained under a centralized contract — NOT by the individual employee. Allowing a separated employee to keep their mobile device or phone number means you could be risking a customer relationship, or even allowing confidential information to leave the company.

    2. Create and enforce an acceptable use policy that spells out how employees are expected to handle company and consumer data. Spell out a policy that requires manager or above authorization for taking company / consumer data outside the building. Make sure the policy requires that company / consumer data can only be accessed using company-supplied equipment, using company-supplied encryption. Include policies for remote access, such as ensuring people use company-approved remote access methods, such as VPN, and NOT unapproved 3rd-parties such as “gotomypc”. HAVING a policy that clearly states the employee’s responsibilities and defines prohibited behavior works to help employees protect the company’s information assets as well as to support involuntary separation if the policy is not followed. A policy like this must be approved by executive management, and must be culturally-supported thorughout the company. If the business line managers disregard the policy, enforcement must come from above.

    3. Perform periodic security awareness training. This can be as simple as a company-wide e-mail with information about a relevant security topic. Additionally, this provides an opportunity to educate employees on areas of the Information Security or Acceptable Use policies that exist on paper but are not widely known or enforced — this provides a foothold to start enforcing them. Awareness training can also be used to disseminate the process for reacting to a suspected data breach: Who to call, how the situation should be handled, and the like. In industries such as Healthcare and Financial Services, it may be more beneficial to use an on-line tool that forces each employee to “click and accept”, so that there is a clear record. Such a system can usually easily be built using exiting internal workflow or collaboration software such as Microsoft Sharepoint with little or no capital cost.

    There are many more components to a comprehensive Information Security program, but these are the three things that virtually any company can easily implement, at little or no cost, that can make a tremendous difference, and help create a culture around the PREVENTION of data loss.