The “big” retail data breaches and security hacks are scary and make news because they directly affect mass consumers. Mysterious cyber criminal groups stealing millions of dollars via hacks into large chains is a salacious story – with everyone wanting to know when, how, why, and what happens to them.
But data breaches that happen on the “inside” are more common, yet talked about much less. Whether the breach is caused by a malicious employee(s) or by an honest mistake, internal security breaches are happening at the rate of 2,500 a day, yet only 1 in 5 IT professionals consider this type of security threat to be a top priority within their organization.
Careless or Vengeful? Both Can Jeopardize Security
A shocking 52% of employees see no security threat in sharing work logins.
The start point of the 2013 Target breach was network login credentials stolen from a third-party HVAC vendor, which were the gateway to other systems that allowed fraudsters to access the retailer’s POS system. While it is not known specifically how the credentials were stolen, the fact that the credentials did provide access into systems that allowed for a breach of payment data is a question.
This January’s Morgan Stanley’s breach compromised 350,000 of its Wealth Management clients when an employee stole account records and posted 900 of those records online. Overall, partial account information of up to 10% of all Wealth Management clients was stolen. The rogue employee later admitted in court that he illegally accessed account holders’ names, addresses and other personal information, along with investment values and earnings, from computer systems used by Morgan Stanley to manage confidential data, court records note.
Accidents Will Happen
To err is human, as they say, so it should be no surprise that most insider breaches are due to human mistakes. A Forrester study revealed that insiders (employees) are the top source for data breaches, with 36% of the breaches resulting from improper use of data within the company. Joey Song of Business2Community explains how this can happen easily:
“One reason [for internal data breaches] could be due to a more indirect or accidental nature. More specifically, negligence or failure to establish proper security protocols on behalf of employers and their respective employees can unintentionally lead to data exposure. For instance, employees could very well send private company information, such as client or customer reference lists, to their personal emails, provide online account credentials to strangers, or leave online company data unattended, which can all lead to sensitive data exploitation. These insider related data leaks can be directly attributed to lack of oversight, accountability, and, more importantly, proper training from their employers.”
What is Your Company Plan?
Regardless if an insider breach is intentional or by mistake, companies need to be progressive in implementing and enforcing security protocols inside their own walls. Even if a company can pin an inside breach on the employee at fault, they can still be found negligible. They could still potentially lose millions of dollars in fraud losses. And their reputation could be destroyed.
Realizing that insider threats are just as dangerous as those coming from the outside – and are more common – is the first step in the realization that an interior security plan AND employee education is needed for every company.
- Each employee must have the mindset that all company information and data must, at all times, be held confidential
- Each employee must understand that although they have access to important data, the ownership of that private information is the company’s
- And employees must understand that any suspicious activity or behavior by vendors, other employees, etc., should be reported
There are many resources available to educate companies on best security practices, and Business2Community’s recent article on insider data breaches provides some great tips that help to deter malicious activity from happening, as well as making employees more aware and less likely to make a costly mistake.
What Does the Future Hold?
Bluefin specializes in PCI-validated Point-to-Point Encryption (P2PE), which encrypts payment cardholder data at the Point of Interaction (POI) in a PCI-approved P2PE device, decrypting the card data and preventing clear-text cardholder data from being present in a merchant or enterprise’s system or network where it could be accessible in the event of a data breach.
This type of technology completely devalues payment data so that if a hack does occur, the fraudster doesn’t get card numbers.
Encryption technologies such as P2PE will be extremely valuable as their use expands to protecting all stored data, including social security numbers, account information, addresses, and more.
But no technology will ever diminish the need have your employees and those that work for you educated on what to do/not do with data and how to best protect your company – and your corporate brand.