The media runs stories on data breaches with increasing frequency, but the ones they know about are just the tip of the iceberg. In a Ponemon Institute study of 461 IT pros 79% of respondents revealed that insider-related security breaches at their employer had gone unreported.
While an employee with bad intent certainly can execute a breach, most instances are less sinister in nature. Insider breaches ordinarily occur when a contractor or employee does something inadvertent, but usually against policy, such as clicking a link in a phishing email or mistakenly offering access to a party (or parties) who shouldn’t have it. In most instance a breach is the result of either a mistake, a lack of adherence to policy, or poor policy.
Keeping a breach under wraps is easy to understand. Target suffered a big hit in sales following their breach as shoppers steered clear of the retailer for a time. In business-to-business environments a breach is no less embarrassing and no less damaging to a company’s reputation, particularly a company that is being trusted with the technology functions integral to a customer’s business.
It is also a certainty that some breaches go unreported internally in organizations with limited executive visibility into the technology operations where the breach occurred. A technology contractor or employee can have their livelihood stripped in a hurry in such an instance. So the motivation is there to keep a breach quiet.
Whether a result of highly sophisticated hackers, insider malfeasance, sloppy policy, or an inattentive employee, it appears that breaches are difficult to avoid. No matter how good your security is, someone you do business with can screw up, leaving your data exposed. Security experts tell us to expect to be hacked at some point and time, and with breaches occurring far more often than we realize, that sounds like good advice.
Image used under Creative Commons, courtesy of Flickr and LennyK Photography.