The cybersecurity and data protection industries are still reeling from the shell-shock that was 2014. With the highest number of data breaches in a single year, last year was an eye-opener for business leaders and consumers alike. While the industry still sorts through how these record-setting events happened and what we can do to prevent 2015 from playing out the same way, there are a few key takeaways that we can already identify.
One of the chief causes of data breaches is what’s known as internal data breaches, and those events fall into two categories: accidental and intentional. Internal data breaches, as the name implies, occur when a company employee opens the business up for a hacking event or data leak. The categories indicate that these events can be intentional or purely accidental.
In an intentional internal data breach, an employee, vendor, or third-party contractor purposefully accesses customer or employee data with the intent to use it. This could be checking out their co-workers’ Social Security numbers and birth dates, accessing client credit card numbers, or any number of other scenarios that lead to the theft of personally identifiable information. Typically, a thief in this instance either uses the information personally to open financial accounts or commit tax refund fraud, or sells the list of information to a thief who will pay good money for it.
There have been a lot of these cases in recent months. Every type of thief, from elementary school cafeteria workers to a fraud ring that targeted deployed soldiers and impoverished children, has been guilty of this type of crime. Unfortunately, it’s a crime of convenience, especially in any field that gathers and stores lots of excess information on individuals.
An equally detrimental though somewhat less malicious type of data breach is the accidental breach. While it still involves an employee of a company who makes access to large stores of personal information available to a criminal, at least in this case the bad guy may only be guilty of poor judgment or failure to follow company policy. An accidental breach occurs when an employee does something that results in exposing information to a hacker, such as clicking on a malicious link in a phishing email, downloading harmful software to the network by mistake, losing a company laptop or flash drive that contained sensitive information, or more.
Unfortunately, whether the employee intended to expose the company to thieves or not is irrelevant, as the outcome can be the same. The infamous Target data breach that affected over 100 million consumers has been traced back to a third-party contractor whose employee clicked on a phishing email, thereby downloading harmful software that infiltrated Target’s POS system. That employee certainly didn’t mean to cause one of the largest data breaches to date, but that is what happened.
So what can you do about this type of data breach, especially when you consider that one involves someone who is determined to nab personal information and the other involves someone who seemingly doesn’t care enough to protect it?
There are a number of steps businesses can take, including ensuring that employees don’t have unrestricted access to information. You can also ensure that your business (or companies you patronize, if you’re a consumer) doesn’t gather more information than needed, then store that information on unsecured technology or networks. Employers can present their staff with clear policies for computer and technology use, as well as present and enforce the consequences for violating those policies.