Data Breach Threats From Within Growing

By Jeff Casale

Apr. 9, 2009

While the external hacker is something companies have learned to defend against, the threat of internal data breaches is growing.

Insurance and cyber security experts say a computer-savvy employee who thinks his or her job may be in jeopardy may be more inclined to tap the organization’s database for information that may be useful in a new job with a competitor.

Worse, the employee could attempt to take revenge on his or her employer as job cuts abound during the recession, experts say.

“I think it’s safe enough to assume that, as people are put under greater and greater emotional stress, additional people may lose their moral compass and do things and take data that, in normal circumstances, they might not,” said Alan E. Brill, New York-based senior managing director of technology services at Kroll Ontrack, a division of Kroll Inc., a consultant unit of Marsh & McLennan Cos. Inc.

“But we have to live with the circumstances that we’re in; and if we’re in a higher-risk environment of people doing that, I think we have to be able to respond to that and provide the tools and technology to do so,” Brill said.

Brill said Kroll already is seeing a higher rate of incidents involving employees taking sensitive company data—either before or after they’ve been let go—that they intend to use to better themselves with another employer or start a competing business.

Brian Lapidus, a colleague of Brill and the Nashville, Tennessee-based COO of Kroll’s fraud solutions division, said there were about 1,000 more data security inquiries to Kroll in December than just last July.

“We’re seeing more [data] breaches and we’re seeing more activity from those people who have been victims of a breach,” Lapidus said.

A study that Ponemon Institute LLC released last month found that more than 88 percent of all data breaches involved insider negligence, while the remaining 12 percent were the result of a malicious act. The study also found that the cost of data breaches to companies rose in 2008 to an average $202 per record compromised, up 2.5 percent from 2007 and 11 percent from 2006.

According to Traverse City, Michigan-based Ponemon, “the investment required to prevent a data breach is dwarfed by the resulting costs of a breach.” While the external hacker is something companies have learned to better defend against, the threat of internal data breaches is growing.

Insiders gain access to the data through lax controls and monitoring of network systems, a direct effect of cutbacks in security software and information technology support staff, Brill and other cyber risk analysts say.

“The ability to stop an insider who has access is not really practical,” said Mike Rothman, senior VP of strategy with Acton, Massachusetts-based IT consultant eIQnetworks Inc. “The tools have been put in place to monitor [systems], but I think that IT workers have such a long list of activities to do on a daily basis … you can overlook the monitoring when you have other tangible projects that people are waiting for action on.”

Software programs capable of sweeping systems for irregular data flows are available, Rothman said. It is becoming more “critical” to run automated network scans as companies cut back on data security staffing, he said.

But the attacks are becoming more complicated and intelligent, cyber risk specialists say.

Alex Horan, director of product management for Boston-based Core Security Technologies, said hackers are using “more talented” malware—or malicious software—than in the past and that the attacks have gone beyond the viral e-mail or embedded link to what appear to be safe software downloads.

In a data breach at Princeton, New Jersey-based Heartland Payment Systems Inc., investigators uncovered the breach in January but found that malware had been installed more than a year earlier, according to statements by Heartland executives.

The malware was specifically designed to take certain information and was relatively undetectable. Heartland executives said they did not know how the malware was installed or how much data was taken from the payroll processing operation.

“It’s an attacker knowing the organization and the type of data it holds,” Horan said. “[The hacker] is not sending out a billion e-mails hoping that someone will click on the e-mail. It’s now a more targeted approach.”

Brill agreed, adding that malware is becoming more specialized and, in most cases, is undetectable by the software that fights malware as it is something software companies have not seen before and cannot defend against.

Network security, especially for organizations that use a third party to manage databases, is becoming more important to companies, said Mark Steinhoff, New York-based a principal in Deloitte & Touche’s security and privacy practice.

Deloitte recently surveyed global top 100 financial institutions, banks and insurers and found that 36 percent of the respondents were more concerned with internal breaches, while 35 percent of all respondents were concerned with internal and external breach threats.

“When you look at what organizations are most concerned about, it’s both the internal and external threat,” Steinhoff said. “The insider threat is getting more attention, but the tools to protect against it are still evolving.”

The recent attention surrounding data breaches is puzzling to Kevin P. Kalinich, Chicago-based co-national managing director of Aon Corp.’s financial services group for professional risks.

“There have always been data breaches,” but recent developments in state and federal laws that require data breaches be made public have generated more attention and the incorrect belief that data breaches are rising, he said.

Kalinich said studies have shown that “people feel less guilty about taking electronic data” than hard-copy files and data breaches may indeed increase.

“Organizations have to be aware of economic turmoil and specifically its effects on their employees,” advised Tracey Vispoli, vice president and manager for the financial fidelity and cyber solutions unit at Warren, New Jersey-based Chubb Group of Insurance Cos.

“I think people need to be more worried about [internal data breaches] than in the past. The trends are changing and essentially you have a workforce that is more disgruntled and more upset than in years past, and I think that is something that will be a looming issue in the years ahead,” she said.

Schedule, engage, and pay your staff in one system with