Think hackers and viruses pose the biggest security threat to your corporate data? Think again. If sensitive information leaks out, chances are it'll be because someone in your office let it happen.
While it's true that deliberate sabotage campaigns by disgruntled malcontents aren't as improbable as most executives would probably like to think, more often than not, security leaks result from simple staff carelessness and bad habits born of inexperience and indifference. Whether it's choosing easily hackable passwords or copying confidential information without authorization, employees ranging from front-line desk jockeys all the way up to top executives are guilty of contributing to corporate computer security breaches.
The most recent Deloitte & Touche global security survey reveals that last year nearly 75 per cent of data leaks reported by businesses around the world happened either internally or through insiders who had some outside help or influence. Yet, only 65 per cent of businesses surveyed worldwide report training their employees in matters of data security, with a paltry 6 per cent providing education or awareness training to newly-hired employees.
The message is that for every penny counted in the business world, a piece of information is potentially slipping away. "A significant amount of data losses are things that could have been protected by better procedures," says Howard Schmidt, a former co-chair of U.S. Homeland Security who also worked as chief information security officer (CISO) for both eBay and Microsoft. "For example, there's often a striking lack of encryption when it comes to sensitive data. What happens if an employee copies sensitive information onto a CD and then leaves that CD in a coffee shop? Having a policy that prevents data from being copied or e-mailed away is just as important as making sure your passwords are safe."
With a recent Omnibus poll showing that 59 per cent of Canadians use easily hacked passwords such as names or birthdays in the workplace, it's clear that businesses need to focus on teaching employees not only how to choose good passwords but also how to protect them. "Passwords are the fastest way to break into anything," said Claudiu Popa, president of Toronto-based security consulting firm Informatica Corp. "Everyone has gotten desensitized to passwords, so they choose ones that are far too easy." The problem is that many people see passwords as a nuisance, an obstacle that delays them on their way to get at important information necessary for their job, Popa says. In reality, passwords are often the only line of defence.
For security veteran Tom Welch, president of WISE Security Solutions, internal leaks, not flashy hack attempts, are the real silent killers in the business world. "What you see in the news are the blips, the hacks, but the reality is most times the breach happens from within the organization," Welch says. "The big breaches, the real losses, happen at the highest levels of an organization, and those rarely show up in the newspaper. It's not because of hacks, it's because of users going above their security level or being careless with passwords and bad habits. That's how many frauds occur." Among the many duties Welch's company performs for its clients, the most interesting is "white hat" hacking. Essentially, Welch gets paid by companies to hack into their own networks and pull out as much data as he can, thereby demonstrating the level of protection — or lack thereof — that company has for its delicate information. "At many organizations we'll find blank passwords, or the word 'password' being used, which is indicative of a weak company policy. Needless to say, it's not hard to hack into that," Welch says.
