January 11, 2005 4:00 AM PST

Securing data from the threat within

(continued from previous page)

identity thefts she studied started with the theft of personal data from a company by an employee.

It takes only one rogue employee to put a company at risk, said Brian Tretick, a principal at Ernst & Young who works in the Privacy Assurance and Advisory Services group. One of his clients had an incident recently in which an employee in the human resources department took home documents that included Social Security and bank account numbers. The employee's brother coerced her into giving him access to the information, which he used to get credit cards and fraudulent accounts.

Secrets out
Several big-name companies, including Apple, Cisco and Microsoft, have had problems with internal information being leaked. In addition to the suits mentioned earlier, Apple is suing a Mac enthusiast Web site it said solicited insiders to break confidentiality agreements and leak information.

In June, authorities arrested a former AOL employee for allegedly selling 92 million AOL screen names to a spammer. He supposedly gained access to the data using a co-worker's identification code.

In November, a Connecticut man was arrested on charges of selling Windows 2000 and Windows NT 4.0 source code stolen from a Microsoft partner. He now may face up to 10 years in prison and a fine of $250,000.

Some of Cisco's IP router source code was leaked to a Russian Web site in May. It's unknown how the information got out, but some suspect an employee or partner may have leaked it.

The company found out about the fraud when employees affected by the scam compared notes and realized the information had been leaked from their employer. Only about 100 employees were hit by the scam, but because the company wasn't certain which workers had been compromised, it was forced to notify everyone. The company set up a 24-hour hotline to answer questions from employees. It is providing free credit reports to all workers for at least one year. It also changed some of its business processes to prevent future breaches. In the three months after the fraud was detected, the company spent more than $2 million to mitigate the effects, Tretick said.

The Association of Certified Fraud Examiners estimates that a typical U.S. organization loses about 6 percent of its annual revenue to fraud, according to Ernst & Young's global security survey published in September. When placed within the context of the U.S. gross domestic product for 2003, that amounts to roughly $660 billion.

"Companies are really conflicted about how to handle the internal threat problem," Tretick said. "They want to make their processes open and easy so they can run an effective business. That often means putting trust in the people who work for them. But all it takes is one bad apple."

The long arm of the law stretches
Over the past couple of years, outrage from customers and clients victimized by these schemes has spurred legislation at federal and state levels. New laws, including the Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA) and California's Database Protection Act of 2003, have made companies legally responsible for protecting individuals' personal information housed in their databases.

What leaks
The Ponemon Institute's data security study asked respondents what type of leaks they'd suffered. Because respondents could cite more than one category per incident, the percentages don't total 100.

•  22 percent of leaks involved customers' personal data.
•  10 percent involved workers' personal data.
•  39 percent disclosed confidential business data.
•  14 percent leaked intellectual property, including software code.
•  16 percent: "Other."

While protecting personal information has become an important legal issue for companies, other sensitive information, such as intellectual property, leaked by insiders to competitors or to the public, can also have devastating financial consequences. The problem has become even more important as companies, particularly those in technology, increasingly outsource work.

"A lot of these outsourced employees have access to huge amounts of sensitive data," Ponemon said. "It's easy for them to download files or print them out and put them in a briefcase and carry them outside. In places like India or Latin America, where they are paid far less than counterparts in the U.S., stealing information and selling it can seem like (just) another source of revenue."

Most internal security breaches aren't the result of rogue employees, but are rather the result of negligence or error. Of the internal attacks cited in Ponemon's report, about almost 40 percent occurred because well-intentioned employees inadvertently caused security problems by how they handled sensitive information. Only 30 percent were attributed to malicious employees.

"Most internal security issues are due to organizational sloppiness," he said. "These aren't bad people. They are just trying to get a job done, but they aren't considering all the consequences to their actions."

Previous page
Page 1 | 2

4 comments

Join the conversation!
Add your comment
At last!
Bravo. A great article. Its great to finally see this news getting the recognition it deserves.

AppSense have been adovcating the threat from within for four years, with little media coverage.

It is clear that Security is about protecting everything in the enterprise, not just the perimeter.

Stephen Voisey
AppSense.com
Posted by (3 comments )
Reply Link Flag
At last!
Bravo. A great article. Its great to finally see this news getting the recognition it deserves.

AppSense have been adovcating the threat from within for four years, with little media coverage.

It is clear that Security is about protecting everything in the enterprise, not just the perimeter.

Stephen Voisey
AppSense.com
Posted by (3 comments )
Reply Link Flag
A Great Step
I definitely concur that this is a great article. I handle program protection supporting Joint Service NBC Defense programs, and I am happy to see that private industry do what the government has been doing for years.
As far as I am concerned the percentage of inside breaches is much higher; however through mandatory training and awareness, this number could be reduced drastically.
A lot of basic security is common sense, but it has to be monitored.
Hats off to industry. A great step has been taken. Honesty is an agreement with one's self, but making employees aware of proprietary information as an individual responsibility will minimize loss.
Posted by (2 comments )
Reply Link Flag
A Great Step
I definitely concur that this is a great article. I handle program protection supporting Joint Service NBC Defense programs, and I am happy to see that private industry do what the government has been doing for years.
As far as I am concerned the percentage of inside breaches is much higher; however through mandatory training and awareness, this number could be reduced drastically.
A lot of basic security is common sense, but it has to be monitored.
Hats off to industry. A great step has been taken. Honesty is an agreement with one's self, but making employees aware of proprietary information as an individual responsibility will minimize loss.
Posted by (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.