Network Computing Darkreading

Advertise

Risk

10/29/2013
04:20 PM

James Bindseil
Commentary

Connect Directly

4 comments
Comment Now

50%

Think Hackers Are IT's Biggest Threat? Guess Again

More than one third of all data security breaches at government agencies are caused accidentally by internal employees.

Iris Scans: Security Technology In Action

(click image for larger view)

Hacker groups such as LulzSec and Anonymous likely come to mind when discussing data breaches in the public sector. Both groups, along with other rogue hackers, have proven themselves more than capable of bypassing government security measures and gaining access to confidential data. But, surprisingly, they are not IT's biggest threat.

According to research by the Ponemon Institute, the actions of agency employees can be even riskier. More than one third of all data breaches are internal and unintentionally caused by employees, and federal agencies are not exempt. In fact, the public sector is one of the most targeted industries, second only to financial services.

"While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious," said Larry Ponemon, chairman of the research firm, in a recent interview. "Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22% since the first survey."

According to Privacy Rights Clearinghouse, government agencies have seen a steady increase in employee-caused data breaches over the last four years. Employee negligence has caused over 150 breaches since January 2009, resulting in the loss of more than 92.5 million data records.

[ Find out why malicious insider threats are getting harder to stop. Read Insider Threats Get More Difficult To Detect. ]

Unfortunately, public CIOs can't simply "plug the leak," but they can place a greater emphasis on the underlying cause of many data breaches: using insecure, un-managed methods to transfer sensitive data, such as:

-- Easily lost or stolen removable storage, particularly those housing unencrypted data (USBs, hard drives, disks, etc.)

-- Emails containing sensitive data sent to the wrong party

-- Third-party file-sharing and storage websites (Dropbox, Google Drive, etc.)

As occurrences increase in size and frequency, the cost per record lost is also rising. The Ponemon study reveals that the U.S. has one of the highest average costs per record ($136). The study also shows that third-party errors and lost or stolen devices have the most effect on the cost of a data breach.

1 of 2

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

Moving UEBA Beyond the Ground Floor

Faster, More Effective Response With Threat Intelligence & Orchestration Playbooks

More Webcasts

White Papers

5 Steps to Quantifying Insider Risk

GDPR: What It Means & How SAS Data Mgmt Can Help

More White Papers

Reports

How Enterprises Are Attacking the IT Security Problem

[Interop ITX 2017] State Of DevOps Report

More Reports

Comments

Newest First | Oldest First | Threaded View

[close this box]

50%

Chuck Brooks,
User Rank: Apprentice
11/8/2013 | 9:31:03 PM

re: Think Hackers Are IT's Biggest Threat? Guess Again

James is on point, cybersecurity risks are often teh result of internal breaches. The best way to address this is to have Informed risk management for employees on security protocols and processes to provide basic security awareness/identify threats.

-+
-+

Reply | Post Message | Messages List | Start a Board

50%

pcalento011,
User Rank: Apprentice
10/31/2013 | 3:28:51 AM

re: Think Hackers Are IT's Biggest Threat? Guess Again

While certainly a "culture of security" can help address the threat, poorly architected systems also pose a risk. I'm not saying cloud computing or Big Data or any other technology is to blame, but a lack of planning leads to a lack of security. Blaming employees is too easy.

Reply | Post Message | Messages List | Start a Board

50%

Ulf Mattsson,
User Rank: Moderator
10/30/2013 | 9:31:33 PM

re: Think Hackers Are IT's Biggest Threat? Guess Again

I agree that "Secure and manage data in motion" and "Tightening the security perimeter will always be a top priority for federal IT professionals", but I think that the perimeter is gone and that the most attractive target is data in large databases.

I think that the flow of sensitive data across different systems and databases should be protected. I recently read an interesting study from Aberdeen Group about security-related incidents. The study revealed that GÇ£Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-usersGÇ¥. The name of the study is GÇ£Tokenization Gets TractionGÇ¥.

I also think that security teams need to look at if data access patterns are normal for users that are accessing sensitive data. Tools can help to determine if the pattern is normal, is this what the typical employee does as part of their work, or is this behavior out of the ordinary.

Ulf Mattsson, CTO Protegrity

Reply | Post Message | Messages List | Start a Board

50%

D. Henschen,
User Rank: Apprentice
10/30/2013 | 6:38:01 PM

re: Think Hackers Are IT's Biggest Threat? Guess Again

This article has a government spin, but it's also very applicable to the private sector. Pay close heed to the practical advice on page two on curbing unintended data breaches unwittingly instigated by internal employees.

Reply | Post Message | Messages List | Start a Board

Live Events

Webinars

More UBM Tech
Live Events

INsecurity - A Dark Reading Conference: Join Us November 29-30 In The D.C. Area

Dark Reading Live EVENTS

INsecurity - For the Defenders of Enterprise Security

A Dark Reading Conference
While “red team” conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the “blue team” will be the focus.

Learn More

White Papers

5 Steps to Quantifying Insider Risk

2017 Threat Report

The DomainTools Report: Spring 2017 Edition

GDPR: What It Means & How SAS Data Mgmt Can Help

[Best Practices] Office 365 Security Monitoring

More White Papers

Video

All Videos

Cartoon Contest

Write a Caption, Win a Starbucks Card! Click Here

Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!

Cartoon Archive

Current Issue

Security Vulnerabilities: The Next Wave

Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem

Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.

Download Now!

The Impact of a Security Breach 2017

0 comments

[Strategic Security Report] Assessing Cybersecurity Risk

0 comments

New Best Practices for Secure App Development

0 comments

More Reports

Slideshows

14 Social Media-Savvy CISOs to Follow on Twitter

0 comments | Read | Post a Comment

9 of the Biggest Bug Bounty Programs

0 comments

2017 Pwnie Awards: Who Won, Lost, and Pwned