Followers

Monday, October 13, 2008

Employees, not hackers, cause most corporate data loss

By Joel Hruska

Earlier this summer, we covered a report suggesting that the majority of corporate data loss comes from risky employee actions and systemic failures at the corporate level when it comes to implementing comprehensive IT security policies. Now, a new study from Compuware reports new information that supports Trend Micro's conclusions from back in July. The unsung heroes in the IT department, it turns out, may be doing a better job stopping outside hackers than they get credit for.

According to a new study (PDF, info required) from Compuware, IT departments should take a bow—only 1 percent of corporate data losses this past year were due to hackers. Unfortunately, the good news mostly ends there. Negligent employees are far and away the largest cause of data breaches, but IT managers also listed outsourcing and malicious employees (possibly ex-employees as well, one assumes) as two significant reasons why data breaches often occur.

Compuware reports that of the 1,112 IT practitioners it surveyed, 79 percent reported that their organization had experienced at least one data breach. That's an extraordinarily high number, but there are several intervening variables that may have inflated it.

  • Compuware does not completely define the term "data breach." It provides an indication of what it means by describing a data breach as "the loss or theft of information about individuals such as consumer data, customer information, employee records, and so forth." That definition is more than adequate for a general discussion or description, but fails to address certain meaningful nuances.
  • Compuware does not filter its results by magnitude; a breach that affected two million people is treated equally to one that impacted just two.
  • Compuware does not filter by severity; this is where the subtle nuances of definition I mentioned earlier come into play. We know that a data breach involves the loss or theft of consumer data or employee records, for example, but no information on what, precisely, was stolen or exposed. If I'm a customer of JC Penney, and someone steals the list of customers who bought there over the past 24 months, I'm unhappy. If that list contained my home phone number and address, I'm concerned. If, on the other hand, that list contained my phone number, address, Social Security number, and credit card information, I'm downright worried, and may wish to take immediate action.

I raise these variables because the "gotcha!" of this particular story—79 percent of companies reporting data breaches—has, in my view, been somewhat distorted in the reporting. Compuware's figures may be perfectly accurate, but I'd be careful when drawing any conclusions from them—not every data breach is of TJ Maxx proportions.

In general, Compuware's study seems well-grounded and covers a number of interesting topics. Asked where their efforts are typically focused post-breach, a large group—41 percent of those surveyed—indicated that they participate in investigating, categorizing, and verifying the particulars of the incident. 18 percent of respondents indicate they were involved in remediation activities, 16 percent were tasked with training and educating staff or personnel, 11 percent conducted a root-cause analysis, and 10 percent established an incident response team.

I'm not sure what to make of that last, since incident response teams are emergency groups trained to respond when an emergency occurs. The fact that so many respondents were involved in specifically establishing one implies that 10 percent of the organizations surveyed didn't have them to begin with. Note the relatively low number of IT employees who were asked to spend time training fellow workers, as this will be important later.

Next up, we've got what I personally consider to be the most interesting information in the report, for all that it's largely gone unreported by the press. Having ascertained the roles IT personnel are most likely to play in the event of a data breach, Compuware asked them how confident they are in their own organization's ability to respond to such an event.

The majority of IT workers surveyed are clearly less-than confident in their employer's ability to monitor and detect information theft, even though they themselves almost certainly play a role in such efforts; 56 percent of respondents labeled themselves either "Somewhat confident" or "Not confident." As for the "Unsure" category, it's hard to imagine that the security professionals who opted for this category are secretly "Very Confident" or "Confident." As for why the breaches themselves occur, there's one category that stands out in particular:

Asked to name the leading causes of data breaches, IT staff couldn't run for the negligence category fast enough. Combine this with the fact that most workers don't trust their company to monitor the occurrence of data theft and the fact that relatively few IT staffers are tasked with employee training post-breach, the entire corporate security model begins to sway suspiciously.

The majority of IT professionals surveyed don't believe their employers can adequately monitor company resources for data breaches or prevent these breaches from occurring. Who's causing the breaches? Negligent employees. Given these two facts, one would expect to see the number of IT staff involved in employee training to skyrocket post-breach, as the company attempts to plug the hole, but again, evidence suggests this isn't happening; the majority of IT staffers are involved in fixing the technical aspects of the problem, with relatively few addressing the root cause of the issue.

This obviously makes some sense, given that the IT department wasn't hired to teach Security 101, but it may also indicate that company management hasn't grasped the true root of the problem. It's easy to bring in a consultant for some remedial security training, but without the explicit involvement of the IT department, such training will inevitably focus more on general bad practices and less on the specific situations that may have exposed customer data in this particular case. There's nothing in Compuware's report, meanwhile, that suggests this loop is changing, or that IT workers today feel more confident in their company's ability to deal with a data breach than employees did five years ago.

The report ultimately suggests that the vast majority of companies have security models that are semifunctional at best. Accountability is a hit-or-miss affair, confidence in the system as a whole is minimal, and the flaws that contribute to data breaches aren't confined to any single level of an organization. Not the most optimistic Friday read, I'll admit, but the results aren't all that surprising, either.

Original here

No comments: