Print this article | Return to Article | Return to CFO.com
More often than not, employees are to blame for breaches of data security, many times simply because they made mistakes.
Scott Leibs, CFO Magazine
May 8, 2007
Despite all the attention given to filched credit-card numbers and other damage wrought by computer hackers, a new University of Washington study puts hard numbers to what security experts have long claimed: you have more to fear from insiders than from outsiders.
The study looked at almost 600 incidents of compromised data over the past quarter century and found that employees are to blame about 60 percent of the time. Often it's not because they are maliciously out to steal or destroy information, but simply because they make mistakes. Lost laptops, sensitive information inadvertently forwarded via E-mail, and similar bungles are rampant.
Employee education has long been seen as the key to prevention, but companies can now buy new technologies that can prevent such errors. Code Green Networks, for example, makes a security appliance (a combination of hardware and software) that will do everything from monitor the content of E-mails to "fingerprint" sensitive documents so they can be tracked or, if needed, prohibited from being forwarded. Technologies for protecting data on laptops, and for locating the machines if they are lost or stolen, are now offered by many vendors.
But companies still have plenty to fear, from both within and without. As Steve Jones, chief technology officer at Signal Financial Credit Union, notes, "Even though accidents are a more common form of inside risk, the damage done by a single malicious incident can be huge."
That holds true for hacking as well. The University of Washington researchers found that while hackers were responsible for a smaller percentage of incidents than were insiders, they walked away with more data. Even in some of those cases, researchers say, companies are often to blame. They cite the example of Acxiom Corp., which saw 1.6 billion customer records compromised in 2003. In that case, a nonemployee who had been granted a password to upload data guessed (correctly) that the same password would allow him to download data. So he did.