4. Negligent Employees
The spouse of a telecommuting Pfizer Inc. employee installed unauthorized file-sharing softwareon a peer-to-peer network, and another 1,250 may have had their data exposed. Because the system was being used to access the Internet from outside of Pfizer's network, no other data was compromised. (Read about how to teach your employees, by job function, to guard against attacks.) on the worker's company laptop, enabling outsiders to gain access to files containing the names, Social Security numbers, addresses and bonus information of about 17,000 current and former Pfizer employees. An investigation revealed that about 15,700 people had their data accessed and copied by people
Costs: Pfizer contracted for a "support and protection" package from a credit-reporting agency, which includes a year's worth of free credit-monitoring service for those affected and a $25,000 insurance policy covering costs that individuals might incur as a result of the breach.
Blinders: Careless insiders -- not malicious ones -- are the No. 1 threat to data security, according to a recent Ponemon study, in which IT professionals said 88% of all breaches involved negligent insiders. "If there were more employee awareness about security, the number of breaches would come way down," Muller says. In Pfizer's case, the employee's spouse had configured the software so that other users of the file-sharing network could access files the spouse had stored on the laptop, but that gave people access to Pfizer files, too.
Combine negligent users and file-sharing software, and you've got a dangerous mix. Although most companies have outlawed P2P file sharing on their corporate networks, according to a 2007 study by Dartmouth College, many employees install it on their remote and home PCs. The study found, for example, that employees at 30 U.S. banks were sharing music and other files on peer-to-peer systems and inadvertently exposing bank account data to potential criminals on the network. Once business data is exposed, it can spread to dozens of computers around the world.
Eye-openers: First off, IT needs to either ban P2P software entirely or set policies for P2P usage and implement tools to enforce those policies. "[Pfizer] should have done a better audit of their systems to stop employees from loading any software," Muller says. "You can take away their admin rights so they can't install anything." Also important is training, he says, so users understand the dangers of P2P, what makes a good password and other standard security practices.
"There's a huge need for education so employees understand we're not trying to make things difficult but that bad things could happen," Semple notes. "It's having them understand, 'I can't do this, and here's why.' "
5. Subcontractor Breaches
In November 2008, the Arizona Department of Economic Security had to notify families of about 40,000 children that their personal data may have been compromised following the theft of several hard drives from a commercial storage facility. The drives were password-protected but not encrypted. The agency says no information was used to commit fraud.
Costs: Subcontractor breaches are more costly than internal incidents, averaging $231 per record compared with $171, according to Ponemon.
Blinders: According to Ponemon's annual cost study, breaches by outsourcers, contractors, consultants and business partners are on the rise, accounting for 44% of all cases reported by respondents last year. That's up from 40% in 2007. In the ITRC study, 10% of breaches were associated with subcontractors in 2008.
Eye-openers: Companies need to create service-level agreements that are airtight and specific, and then ensure that subcontractors are in compliance and penalize them if they aren't. In cases that involve the use of backup tapes or disks, Semple says, insist on encryption and password protection.