|
||
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: |
INTERNAL SNAFUS CAUSE OF MOST BREACHES, STUDY SAYSSource: ComputerWorldPosted on March 20, 2007 This year, more than 72 million records containing Social Security and credit card numbers, birth dates and other personal data will be exposed to unauthorized users in the U.S., according to a study by researchers at the University of Washington in Seattle. And, the researchers said, the main culprit isn't the oft-vilified malicious hacker. Instead, they blamed snafus inside companies as the biggest cause of data breaches. That conclusion was based on a review of 550 security breaches that were reported in major U.S. news outlets between 1980 and last year. The goal was to examine the role that organizational behavior plays in privacy violations. The study found that 61% of the incidents involved internal foul-ups, such as accidentally putting personal information online or losing track of backup tapes and other equipment. In contrast, 31% of the breaches were perpetrated by external hackers, said Philip Howard, an assistant professor of communication at the University of Washington and a co-author of the report. The remainder of the breaches had unspecified causes, he added. The university study is reinforced by similar findings from other researchers. For instance, a report released last week by the IT Policy Compliance Group said that human error is the overwhelming cause of losses of sensitive data Ñ contributing to 75% of all occurrences, compared with 20% for malicious hacking activity. Similarly, in an electronic poll of attendees at Computerworld's Premier 100 IT Leaders Conference this month, the 161 respondents pointed to "activities by internal staffers," "ineffective policies" and "sloppy mobile workers" as the biggest sources of security breaches. Only 11% of the respondents fingered external hackers as the leading cause of breaches at their organizations.Ê Even in cases that were publicly blamed on hackers, the reality can be more nuanced, Howard said.Ê One example was the huge data breach at Acxiom Corp. in 2003, when a hacker who was later caught stole 1.6 billion customer records. He was able to get at the data largely because of Acxiom's failure to establish proper access controls, Howard said.Ê Tom Lindblom, chief technology officer at Carpinteria, Calif.-based CKE Restaurants Inc., which owns fast-food chains such as Hardee's and Carl's Jr., said he thinks businesses are getting savvier about implementing internal controls that can mitigate the kinds of organizational problems highlighted by the University of Washington study. That's being driven partly by increased audit and regulatory requirements, he said.Ê As a result, Lindblom noted, it's hard to pinpoint whether hackers or internal problems pose the greater security risk at this point.Ê "I don't think it's a case of one or the other," he said, adding that it's important to address both types of threats in risk management planning.Ê "Certainly, we find that data breaches are often the result of negligence," said Avivah Litan, an analyst at Gartner Inc.Ê Examples cited by Litan include not changing passwords or using weak passwords, along with a tendency on the part of individual users to leave log files or sensitive data lying around unprotected.
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
ALERT WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |