Software & Technology
Home
Complete archive of features and news articles, sample policies and procedures, assessments, and surveys.
Network and exchange ideas with other members in the forums or ask an expert in one of the hosted forums.
Access vendor directories, product case studies and showcases.
Read Best in Shows, view our conference calendar, read commentaries and take our news poll.
The Hot List
Blogs
Topic Channels
Comp, Benefits, Rewards
HR Management
Legal Insight
Recruiting and Staffing
Software and Technology
Training and Development
= Member Only
Workforce HR Jobs
Find A Job
Post A Job
Subscribe Now
Workforce Magazine
Subscriber Help
























= Member Only


Feature:

Data Breach Threats From Within Growing
  

Feature Contents

1. Data Breach Laws: A Wake-up Call for HR
A significant new category of employment-related privacy legislation has burst upon the scene: data breach notification laws. Employers need to take data breach legislation as seriously as they take such data laws as FCRA and HIPAA.

2. HR Data Breaches Can Leave Holes in Corporate Pockets
Employee data breaches are becoming like leaky roofs for companies—frustrating but familiar. Since early 2006, there typically have been four to six media accounts of human resources data breaches per month.


Similar Documents
Related Topics


Sponsored Tools

Fidelity HR/Payroll
Let Fidelity help you better manage your HR payroll needs.

Discover the Benefits of PCRecruiter
Discover PCRecruiter, the HR Solution Used by Nearly 3000 Companies worldwide.

TimeForce Time & Attendance System
Track employee time with our software, TimeForce, and exclusive line of time clock systems.

Effectively Manage Your Employee Time
Software & hardware allow you to integrate time tracking & payroll. View a 5-min demonstration here.

Eliminate HR Management Headaches with TriNet
Total HR solutions designed for growing companies; serving the U.S. and Canada.

Get Listed >>>
 



Data Breach Threats From Within Growing


While the external hacker is something companies have learned to defend against, the internal data breach threat is growing. Tools are still evolving to thwart insider thefts of company information.
By Jeff Casale
Comments 0 | Recommend 0

hile the external hacker is something companies have learned to defend against, the threat of internal data breaches is growing.

    Insurance and cyber security experts say a computer-savvy employee who thinks his or her job may be in jeopardy may be more inclined to tap the organization’s database for information that may be useful in a new job with a competitor.

    Worse, the employee could attempt to take revenge on his or her employer as job cuts abound during the recession, experts say.

    "I think it’s safe enough to assume that, as people are put under greater and greater emotional stress, additional people may lose their moral compass and do things and take data that, in normal circumstances, they might not," said Alan E. Brill, New York-based senior managing director of technology services at Kroll Ontrack, a division of Kroll Inc., a consultant unit of Marsh & McLennan Cos. Inc.

    "But we have to live with the circumstances that we’re in; and if we’re in a higher-risk environment of people doing that, I think we have to be able to respond to that and provide the tools and technology to do so," Brill said.

    Brill said Kroll already is seeing a higher rate of incidents involving employees taking sensitive company data—either before or after they’ve been let go—that they intend to use to better themselves with another employer or start a competing business.

    Brian Lapidus, a colleague of Brill and the Nashville, Tennessee-based COO of Kroll’s fraud solutions division, said there were about 1,000 more data security inquiries to Kroll in December than just last July.

    "We’re seeing more [data] breaches and we’re seeing more activity from those people who have been victims of a breach," Lapidus said.

    A study that Ponemon Institute LLC released last month found that more than 88 percent of all data breaches involved insider negligence, while the remaining 12 percent were the result of a malicious act. The study also found that the cost of data breaches to companies rose in 2008 to an average $202 per record compromised, up 2.5 percent from 2007 and 11 percent from 2006.

    According to Traverse City, Michigan-based Ponemon, "the investment required to prevent a data breach is dwarfed by the resulting costs of a breach." While the external hacker is something companies have learned to better defend against, the threat of internal data breaches is growing.

    Insiders gain access to the data through lax controls and monitoring of network systems, a direct effect of cutbacks in security software and information technology support staff, Brill and other cyber risk analysts say.

    "The ability to stop an insider who has access is not really practical," said Mike Rothman, senior VP of strategy with Acton, Massachusetts-based IT consultant eIQnetworks Inc. "The tools have been put in place to monitor [systems], but I think that IT workers have such a long list of activities to do on a daily basis … you can overlook the monitoring when you have other tangible projects that people are waiting for action on."

    Software programs capable of sweeping systems for irregular data flows are available, Rothman said. It is becoming more "critical" to run automated network scans as companies cut back on data security staffing, he said.

    But the attacks are becoming more complicated and intelligent, cyber risk specialists say.

    Alex Horan, director of product management for Boston-based Core Security Technologies, said hackers are using "more talented" malware—or malicious software—than in the past and that the attacks have gone beyond the viral e-mail or embedded link to what appear to be safe software downloads.

    In a data breach at Princeton, New Jersey-based Heartland Payment Systems Inc., investigators uncovered the breach in January but found that malware had been installed more than a year earlier, according to statements by Heartland executives.

    The malware was specifically designed to take certain information and was relatively undetectable. Heartland executives said they did not know how the malware was installed or how much data was taken from the payroll processing operation.

    "It’s an attacker knowing the organization and the type of data it holds," Horan said. "[The hacker] is not sending out a billion e-mails hoping that someone will click on the e-mail. It’s now a more targeted approach."

    Brill agreed, adding that malware is becoming more specialized and, in most cases, is undetectable by the software that fights malware as it is something software companies have not seen before and cannot defend against.

    Network security, especially for organizations that use a third party to manage databases, is becoming more important to companies, said Mark Steinhoff, New York-based a principal in Deloitte & Touche’s security and privacy practice.

    Deloitte recently surveyed global top 100 financial institutions, banks and insurers and found that 36 percent of the respondents were more concerned with internal breaches, while 35 percent of all respondents were concerned with internal and external breach threats.

    "When you look at what organizations are most concerned about, it’s both the internal and external threat," Steinhoff said. "The insider threat is getting more attention, but the tools to protect against it are still evolving."

    The recent attention surrounding data breaches is puzzling to Kevin P. Kalinich, Chicago-based co-national managing director of Aon Corp.’s financial services group for professional risks.

    "There have always been data breaches," but recent developments in state and federal laws that require data breaches be made public have generated more attention and the incorrect belief that data breaches are rising, he said.

    Kalinich said studies have shown that "people feel less guilty about taking electronic data" than hard-copy files and data breaches may indeed increase.

    "Organizations have to be aware of economic turmoil and specifically its effects on their employees," advised Tracey Vispoli, vice president and manager for the financial fidelity and cyber solutions unit at Warren, New Jersey-based Chubb Group of Insurance Cos.

    "I think people need to be more worried about [internal data breaches] than in the past. The trends are changing and essentially you have a workforce that is more disgruntled and more upset than in years past, and I think that is something that will be a looming issue in the years ahead," she said.

Workforce Management Online, April 2009 -- Register Now!

Jeff Casale is a reporter for Business Insurance, a sister publication of Workforce Management. To comment, e-mail editors@workforce.com.

Features Archive

           
E-mail this document Printer-friendly version Write to the Editor Reprint Information

Reproductions and distribution of the above article are strictly prohibited. To order reprints and/or request permission to use the article in full or partial format, please contact our Reprint Sales Manager at (732) 723-0569.


Comments

Guidelines: Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. We will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. You are fully responsible for the content you post.






Copyright © 1995-2009 Crain Communications Inc.
All Rights Reserved. Terms of Use Privacy Statement