Saturday, March 18, 2006

Information Breaches, the Human Factor

According to the Privacy Rights Clearinghouse, millions of identities have been compromised recently. In fact, it's impossible to quote an exact figure anymore because new reports of breaches are surfacing weekly. In their chronology, they list several occurrences as being caused by a dishonest insider, but in reality how much more of this could be happening?

One of the recent stories was about Ernst and Young getting some laptops stolen. Several other breaches are listed as a result of stolen computers. The question is how did the people, who stole them determine which ones to steal and what information would be on them?

Many other breaches are listed as a result of "hacking." Hacking is a big word and brings visions of teenagers breaking into systems from afar. BUT is it possible, that some of the hacking occurring today might be the result of insider information obtained by the hackers?

A recent study by Taleo research found that background screening at many companies is inadequate. The results of this study are pretty interesting:

27 percent of organizations experienced a major problem, workplace fraud (10%), employee theft (10%) or workplace violence, with an employee who was screened in, but ended up having a criminal record that was not found.

57 percent of survey respondents believe that their organization should be doing a better job of screening employees prior to being hired.

Only 19 percent consider their current background check process very effective at weeding out candidates that do not meet the criteria for employment at their company.

Two-thirds of organizations do not conduct ongoing background checks on employees.

Only 29 percent have ever run an audit of their current screening provider to determine the quality of their screenings.

Of course, in the real world of data breaches, it seems that those, who have been breached, are extremely reluctant to reveal very many details.

AND there is another problem, which is the number of illegal immigrants out there in the work force. Depending on who you quote, they number in the millions and the trafficking is done by organized criminal gangs. Many of these immigrants owe lots of money to these gang members and already use fake, or stolen identities to work. How many of them might be repaying their debts by stealing information?

Here is a document from CERT, which shows the implications of organized cyber crime:

Organized Crime and Cyber-Crime: Implications for Business

There is no doubt this is trend is growing and will continue to be a problem. Whether these organizations approach insiders for information, or plant them from within with fake identities; they can steal a lot of what is a very profitable commodity in the world marketplace, or information.

Another potential problem is outsourcing financial and computer services to other countries, where the security standards are not up to par. In fact, this might even make some of these firms more attractive targets for the criminal element. I wrote about this in a previous post:

What are the Security Implications of Outsourcing

Until some of the organizations, who have been breached are held more accountable, we will probably never know the true scope of "insider involvement."

1 comment:

Anonymous said...

good post