A bit more on stolen information
In my previous post, I called attention to a story where a bank employee in Switzerland stole information from HSBC’s list of clients and gave (or more probably, sold) it to the French government. The government intended to use the data to go after tax evaders.
I put my own spin on things and suggested that not only do banks have to worry about losing data due to phishers and hackers stealing data, they also have to worry about their own employees stealing it. The question that naturally arises: which is the bigger worry? Electronic theft? Or employee theft?
Microsoft’s Security and Intelligence Report actually addresses this, and it’s not even close.
Although security breaches are often linked in the popular consciousness with hacking incidents involving malicious parties defeating technical security measures to gain unlawful access to sensitive data, more than four-fifths of all breaches tracked in the DataLossDB result from something that the OSF database does not classify as a hack, including 87.7 percent of reported 1H09 breaches. Stolen equipment is the largest single category and accounts for twice as many incidents as intrusion, possibly because equipment theft is easily detected and reported. A number of the incident reports reviewed for this analysis mentioned that intrusions or accidental exposure of information on the Web had been going on for quite a while before they were detected.
So in reality, it’s not so much that banks need to be aware of employee theft being another attack vector in addition to hacking or phishing, it’s actually the other way around. In addition to employee theft, banks need to be aware of hacking or phishing.
I am less clear on how to prevent data loss from these supposedly low-tech mechanisms for information loss. A company needs employees in order to function, yet these employees are the weakest link in a company’s security chain. An employer can take great steps like background checks and security policies to ensure that its personnel are not malicious, but ultimately, as a company grows larger the probability of a miscreant obtaining access to its information becomes greater and greater.
Technology can solve some of the problems we have when it comes to security, but it does not address all of the human problems.
[A recent picture of me in Geneva, Switzerland]