Eye-openers: A good precaution is to monitor database and network access for unusual activity and set thresholds representing acceptable use for different users, CERT says. That makes it easier to detect when an employee with a particular job designation does something beyond his normal duties. For instance, DuPont discovered the illegal activity because of the scientist's unusually heavy usage of its electronic data library server.
If you suspect that a breach has occurred, CERT says it's important to act quickly in order to minimize the chance of information being disseminated and to give law enforcement agencies a chance to start investigating the case.
Companies should also implement role-based access-control tools to maintain a high level of accountability over who is accessing valuable assets, Lazar says. Databases containing customer or employee information should allow very limited access. "How many people, on a daily basis, need to review Social Security numbers and addresses without permission?" he says. "Personal information should be protected at the same level as trade secrets."
Muller recommends using data loss prevention tools to restrict personal data from being e-mailed, printed or copied onto laptops or external storage devices. Some of these tools provide alerts that inform administrators when someone tries to copy personal data and create a log file of such an event. "In a lot of cases, companies don't have proper audit trails in place," he says.
It's also important to strengthen internal controls and audit measures by, for example, implementing iterative checks on network and database activity logs, Semple says. It's not enough to keep detailed logs; you also need audit measures in place to see if anyone has modified a log or illegally accessed it. "Unless there's some way to verify the log information wasn't tampered with, it's hard to know it's of value," he says.
But in the end, technology isn't enough. "You need to find a way to ensure users you trust are worthy of that trust," Semple says.
3. External Intrusion
In January 2007, retailer The TJX Companies Inc. reported that its customer transaction systems had been hacked. The intrusions -- which occurred between 2003 and December 2006 -- gave hackers access to 94 million customer accounts. Stolen information was found to have been used in an $8 million gift-card scheme and in a counterfeit credit card scheme. In the summer of 2008, 11 people were indicted on charges related to the incident, which was the largest hacking and identity theft case the U.S. Department of Justice has ever prosecuted.
Costs: TJX has estimated the cost of the breach at $256 million. That includes the cost of fixing computer systems and dealing with litigation, investigations, fines and more. It also includes payments to Visa ($41 million) and MasterCard ($24 million) for losses they incurred. The Federal Trade Commission has mandated that the company undergo independent third-party security audits every other year for the next 20 years.
However, others expect that costs may rise to $1 billion, which would include the costs of legal settlements and lost customers. According to an April 2008 Ponemon study, 31% of a company's customer base and revenue source terminates its relationship with an organization following a data breach. And in its recently released annual "Cost of a Data Breach" study, Ponemon found that breaches cost companies $202 per compromised customer record last year, compared with $197 in 2007. Costs associated with lost business opportunities represented the most significant component of the increase. The average cost of a data breach in 2008 was $6.6 million, compared with $6.3 million in 2007.
Blinders: According to a 2008 Ponemon study, data breaches by hackers rank a distant fifth in terms of security threats. Indeed, about 14% of documented breaches in 2008 involved hacking, according to the ITRC. That doesn't mean companies shouldn't be wary, however. In TJX's case, hackers infiltrated the system by "war driving" and hacking into the company's wireless network. TJX was using subpar encryption, and it had failed to install firewalls and data encryption on computers using the wireless network. This enabled the thieves to install software on the network to access older customer data stored on the system and intercept data streaming between handheld price-checking devices, cash registers and the store's computers.
Eye-openers: According to Muller, the WEP encryption that TJX used on its wireless network was insufficient -- weaker even than what many home users have. "If from the parking lot you can gain access to the database, you need a higher level of data security and data encryption," he says. TJX had also stored old account information instead of permanently deleting it, Muller says.