Data loss is not simply down to security breaches; what price loyalty?
Earlier this year Verizon published its 2010 Data Breach Investigations Report: A study conducted by the Verizon RISK TEAM in cooperation with the United States Secret Service. I wanted to comment at the time, but, frankly, found it too difficult. My first concern, which probably won’t worry many people as much as it worries me, is simply that there is no such thing as a free lunch. Why has the US Secret Service lent its name to this study? I can see enormous name-dropping benefit to Verizon (American citizens tend to have a high regard for their Secret Service); but can see little visible benefit to the Service. My fear is that there may be an invisible benefit. Translate things to my side of the Atlantic: would I want CESG/MI5 and BT scratching each other’s back? No, I absolutely would not.
But that aside, I had difficulty with the arithmetic of the statistics – for example, the top three types of hack attack accounted for 180% of the stolen records during the period concerned. My assumption (and I may well be wrong here, because I am no mathematician) is that sometimes more than one type of attack is used in the theft of individual records; but that reduces the value of the information given since I don’t know which different attacks were most successfully combined.
I am not trying to diminish the report – far, far from it. It is an absolute Aladdin’s cave of security information. If you are involved in infosec, you really need to get and read this report. All I’m doing is explaining why I didn’t review it at the time. OK, so why bring it up now? Well, it’s because of a new employee survey conducted by SailPoint. Verizon had earlier commented:
Recently, many have hypothesized that insider crime would rise due to financial strain imposed by global economic conditions. Hard times breed hard crimes as they say. It is entirely possible that this is occurring, but neither the Verizon nor USSS caseload show evidence of it. As seen back in Figure 6, Verizon shows a flat trend for insiders and the USSS shows a downward trend over the last three years.
To me, this simply flies in the face of current received wisdom – and even common-sense. The SailPoint report would seem to agree with me, finding that 23 per cent of UK employees will take customer lists and other sensitive data when they leave their employer. Considering that a far higher number of staff will ‘leave their employer’ in difficult times (like right now), the only logical conclusion is that staff data thefts are increasing.
“More than anything, this highlights something we’ve been saying for some time, namely that with insider threats, IT managers are fighting a less visible, but not less difficult threat in addition to the well publicised external threats. Staff are precisely the people who have access to data that needs to be secured and carefully controlled,” said Amichai Shulman, CTO of security company Imperva. “In addition, the survey shows that the insider threat is not always the potentially rogue employee for whom a background check has been completed – staff also need to be monitored during their employment as the information may not necessarily be ‘maliciously’ downloaded after the termination notice but rather information was rightfully obtained and collected by the employee over time and actually should have been removed upon termination by the IT Team” he added.
There’s another statistic from this report we should also consider: if staff inadvertently get access to a confidential file, such as one containing salary information, personal data, or plans for a pending merger, only 57% of respondents would actually look at the file. “This figure is surprising,” comments Shulman, “as I would have thought that 99% of people accidentally stumbling into such information in the web would have read the file. The fact that the percentage among employees is lower is an indication of loyalty.”
This word, loyalty, is possibly the explanation for the different views of the insider threat between the two reports. Data breaches (as per the Verizon report) are decreasing because of staff loyalty. But staff who are terminated have their loyalty terminated at the same time – and are quite likely to take corporate data with them. So data loss caused by insiders might well be increasing. If this is the case, companies must beware of putting all of their security budget into security products – they need also get their procedures and staff relations optimized in order to prevent information walking out of the door with the staff they are ‘letting go’.