Whenever I speak publicly, I always talk about how information technology and hacking are the “sizzle” that helps create the headline news for data-breach events.
However, this week’s news that 31 world leaders, including President Obama – who had their personal information breached, including name, date of birth and passport number – should remind employers and employees that human error is a significant factor in data breach events. In this case, an Australia immigration service employee mistakenly e-mailed the sensitive information of the above-mentioned world leaders days before November’s G-20 summit in Brisbane, Australia. However, the Australian immigration department did not report the breach to the world leaders even though it was a clear violation of the privacy laws of three of the affected countries, including the U.K., France and Germany, all of which require mandatory notification for data breach victims.
Well it gets worse. In IBM’s 2014 Cyber Security Intelligence Index, “95 percent of all security incidents involve human error.” According to the IBM’s report, “many of these are successful security attacks from external attackers who prey on human weakness in order to lure insiders within organizations to unwittingly provide them with access to sensitive information.” In January, Vormetirc, a data security firm, released its 2015 Insider Threat Report and found that 93 percent of U.S.-based organizations surveyed believed that they were vulnerable to insider threats.
The Vormetric survey received responses from more than 800 organizations worldwide. I read with great interest the following four highlights:
- 59 percent of U.S. respondents believed privileged users posed a threat to their organization.
- 46 percent named contractors and service providers as a risk to their organization.
- 43 percent said that business partners were a threat.
- 59 percent agree that most information technology security threats from insiders are the result of innocent mistakes.
I believe businesses, especially small- to medium-size businesses, need to understand that current and former employees, vendors and even customers are a potential threat to a future data breach event, whether it is an accidental release of information or an act of malicious intent. For the purpose of transparency, half of my company is in the ID theft and data breach risk management business and the other half is in the background screening and behavioral testing business. My colleague Jim Collins, a longtime background screening expert, said that “as per industry best practices, businesses should not underestimate the insider threat.”
Collins said, “While most organizations require background checks at the time of employment, very few employers conduct regular screening of their employees, such as annual background checks.” This means that longtime employees who have access to the most sensitive personal, company and proprietary information could be a threat based on “unknown changes in that employee’s personal and professional life,” Collins said. The Vormetric threat report said that “almost half of the U.S. organizations polled experienced a data breach or failed a compliance audit in the past year – which tells us the situation has probably gotten more complicated.”
Mark’s Most Important: It doesn’t take the president or world leaders to recognize that employees — or even you — can make a mistake in data management and protection. Focus on increased employee education on information security.
Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at firstname.lastname@example.org.
This article was originally published on AZcentral.com and republished with the author’s permission.
Merchants Information Solutions is a proud sponsors and provides financial support to the ITRC. For more information on the ITRC’s financial support relationships please see our sponsorship policy.