Second, require personal information on laptops to be encrypted, despite the potential cost ($50 to $100 per laptop) and performance hit that involves, says Lazar. This needs to be accompanied by consciousness-raising, says Blair Semple, storage security evangelist at NetApp Inc. and vice chairman at the Storage Networking Industry Association's Storage Security Industry Forum. "I've seen situations where people had the capability to encrypt but didn't," he says. "Scrambling the bits is the easy part; it's the management and deployment that's hard."
Third, Lazar recommends policies requiring very strong passwords to protect data on stolen devices.
2. Insider Theft
In November 2007, a senior database administrator at Certegy Check Services, a subsidiary of Fidelity National Information Services, used his privileged access to steal records belonging to more than 8.5 million customers. He then sold the data to a broker for $500,000, and the broker resold it to direct marketers. The employee was sentenced to over four years in jail and fined $3.2 million. According to company officials, no identity theft occurred, although affected consumers received marketing solicitations from the companies that bought the data.
In another high-profile case, a 10-year veteran scientist at DuPont downloaded trade secrets valued at $400 million before leaving the company in late 2005 to join a competitor in Asia. According to court records, he used his privileged access to download about 22,000 document abstracts and view about 16,700 full-text PDF files. The documents covered most of DuPont's major product lines, including some emerging technologies. The scientist did this while in discussions with the competitor and for two months after accepting the job. He was sentenced to 18 months in federal prison, fined $30,000 and ordered to pay $14,500 in restitution.
Costs: In DuPont's case, the estimated value of the trade secrets was more than $400 million, although the government pegged the company's loss at about $180,500 in out-of-pocket expenses. There was no evidence that the confidential information was transferred to the competitor, which cooperated in the case.
Breaches on the rise
Since 2006, the number of documented data breaches* has risen by over 40% annually.
|Documented breaches||Records exposed|
According to Semple, theft of customer information is nearly always more costly than theft of intellectual property. In Certegy's case, a 2008 settlement provided compensation of up to $20,000 for certain unreimbursed identity theft losses for all class-action plaintiffs whose personal or financial information was stolen.
Blinders: Nearly 16% of documented breaches in 2008 were attributed to insiders, says the ITRC; that's double the rate of the year before. One reason for this increase is that employees are being recruited by outsiders with ties to crime -- a trend that accounts for half the insider crimes committed between 1996 and 2007, according to the CERT Coordination Center at Carnegie Mellon University.
Insiders commit crimes for two reasons, CERT says: financial gain (as in the Certegy case) and business advantage (as in the DuPont case). In the latter, criminal activities usually start when the employee resigns, CERT says, but the thefts typically occur after they depart, having left secret access paths to the data they want.
Insider threats are among the hardest to manage, Semple says, especially when the workers use privileged access.