2008 Security Incidents

The Washington Post recently reported that the 2008 security incidents surpassed the number of security incidents reported in 2007 by fifty percent. From a numbers standpoint, it must be noted that most known security incidents are the ones which have been reported by companies and that there are many other unknown security incidents which are never discovered and/or reported to be included in the data breach statistics.

Although some security incidents are never discovered by companies where the incidents occurred, and some companies may not report security incidents in order to avoid media and public scrutiny, there is no doubt that security incidents are on the rise because reported 2008 security incidents are on the rise when compared to the previous year, and internal controls are not improved leading to repeat cases of security incidents such as lost unencrypted laptops and other storage devices. Somehow companies don’t seem to learn from mistakes others make in order to prevent and avoid unnecessary burdens of dealing with security incidents and related risks. Regardless, I think it’s very important to explore and analyze the reasons why security incidents are on the rise in order to better manage these risks going forward. The article provided much information which can be used for this analysis but there are also other factors that we can explore once we put our risk management hat on.

1- Companies are more comfortable with reporting their security breach incidents. Although, most if not all of 2008 security incidents are the ones which were reported by the affected companies, it is possible that companies are now reporting internal security incidents more often than they reported in the past. There are many good reasons why companies may choose to do so. For example, security incidents are more commonly reported today making companies a little more comfortable about reporting their security breaches. It is also now mandatory to report known incidents which impact consumer identities. And lastly, companies may feel more ethical than before trying to do the right thing as well as fighting back instead of hiding their misfortunes.

2- Schools increasingly accounted for 20% of all reported 2008 security incidents. Well, schools are great places to steal identities and commit identity fraud as there is plenty of personal information. It would be interesting to know if insider conspiracy which is one of the top reasons discussed in this article may have contributed to the rise in school security incidents because educational institutions typically do a better job at screening their employees and completing background checks than other industries due to the nature of their business and long industry history.

3- Company insiders are used to steal information. The insider conspiracy and collusion with outsiders is the easiest and cheapest way to steal an organization’s information assets including personal information of employees, students and customers. It’s especially easier to convince an insider to commit an illegal act when the economy is bad and extra cash can come in very handy. Knowing this fact, it’s even more important to monitor employee activities as well as system activities to detect suspicious download of information during unusual business hours. Some companies even monitor employee credit files to detect unusual and inconsistent lifestyles when compared to the employees’ job junction and salary within their organization.

4- The incidents appear to be linked to organized crimes. More and more, organized groups seem to be behind the biggest identity crimes whereby specialized skills are acquired and allocated to the crimes. Such criminal plans may require the skills of a technical person to penetrate the systems and steal the information, or networked seller to find buyers and close deals. Experienced identity criminals understand the financial value of personal information and sometimes they combine their collective skill sets to organize a big business. Identity theft is not a new business trend but rather an evolving old business whereby new products continue to be added to the ever evolving product line for lucrative financial rewards. For example, illegal passport trade has been a big business for many years whereby passports of western citizens are stolen or bought to be sold to highest bidder for illegal entry into western countries.

5- Human error is the single largest cause. Yes, human error can be the single largest cause of many disasters and not just security incidents, and yet the easiest and cheapest to prevent. Most often, employees are not aware of company policies OR fail to follow the rules thus jeopardizing the security of their organization’s information assets. Once more, it’s very important to educate employees regarding management requirements and consequences of violations, and then monitor to ensure compliance with prescribed directives.

6- Bad economy and recession have contributed to the increase in the 2008 security incidents. People are more inclined to commit fraud and illegal acts when they are most desperate, plain and simple, period. Companies and individuals alike must be extra careful during bad economic times to protect their identities.

7- Lost laptops and removable storage media are major causes of security incidents. Why? Because they are mainly unencrypted. Laptops and removable storage devices are great creations which allow us to work remotely but the problem arises when such devices a) can be easily lost or stolen, b) are not encrypted, and c) are widely used these days. Although, we now know that they contribute a great deal to identity theft, companies still fail to protect these devices while they allow their employees to use them enterprise wide. If these devices were well encrypted, the risk of identity theft from them would go from a high to a very low percentage, probably close to zero reducing the number of 2008 security incidents.

8- Computer hacking software is being used to commit this crime. I guess when insider complicity is hard to find, then technical capability and know-how can be handy to penetrate an organization’s networks and systems to steal information. Driving around business buildings and searching for unprotected and available wireless devices and networks is a common practice to illegally enter systems and serve oneself to whatever information is available. Wireless access is very risky when considering a) its widespread use and preference, b) employee lack of knowledge regarding risks or ignorance of management policies, and c) company’s failure to protect wireless access and encrypt communications.

There is not just one solution or strategy to protect information assets and reduce the number of future security incidents when compared to the 2008 security incidents. This battle must be primarily fought internally through risk assessments, continued monitoring of external incident trends and causes, policies, procedures, policy compliance monitoring, awareness and training. A consistent national strategy must also be deployed and enforced to improve the security climate. For example, consumer notification laws are inconsistent by State and could be improved to be more effective. One of the biggest weaknesses or rather challenges of reported 2008 security incidents is that they are not translated into number of consumer records affected. In other words, when a company reports a security incident, we are unable to identify the scope of affected consumer records as a result of such breaches thus forcing the implementation of solutions which could be broad in scope, more expensive and less effective.

Return from 2008 security incidents to the workplace information protection section.