Data Leaks: Internal Threats, Incidence, and Damages
Security is never a sexy topic. Covering for it costs money but often adds no value to your business and processes. In the best case, security solutions are unobtrusive, not too expensive to run over time – like that dental insurance you hope you’ll never need.
Alas, security threats are a topic with the potential to cause more harm than a passing toothache. This is particularly true for the information in your organization; a critical and valuable asset of your organization – which makes them a potential target for people with criminal intent.
“That evil hacker!”
Asked for the perpetrators of such crimes, a common answer is “hackers”. A successful hacking attack can be imagined as something spectacular and a matter of high ingenuity and technical prowess.
The truth is more prosaic. You are probably aware that the mean data thief is quite likely a system user. These are privileged insiders, optimally positioned to obtain huge amounts of data as a matter of a few mouse clicks, having access to the relevant systems, necessary authorization, and knowledge of how to retrieve relevant information. If chances are good that you won’t be caught, you might be tempted to turn a quick dollar. This idea is supported by findings
from KPMG who report that 71% of (known) data theft cases were perpetrated or helped by insiders.
And there are more indications that enemies are as likely inside as outside your organization:
Incidence – deception and self-deception
There’s no use guessing how many employees are how likely to bite the hand that feeds them. Some naked numbers give a rough idea: KPMG indicate that 30% of organizations were affected over the past two years, but expect a high dark figure of cases that remain unnoticed or unreported. General expectation seems to be that this number is set to rise in the future. The huge majority of respondents – 82% – see other organizations at “high risk” of data leaks. Quite intriguing: at the same time, fully 70% of respondents assess their own organization to face only “low risk”. The truth is likely somewhere in between; and hopefully, you have a less contradictory view on the risk your organization is exposed to!
Damages – not out of the petty cash
Has your organization tried to work out what damage different hypothetical data leaks might cause?
What does it mean if a massive amount of customer data such as bank and other personal information, consumptions details, or contract information, fall into the hands of an aggressive competitor or imaginative criminals? What if employee data leak, such as salaries, your (not yet patented) know-how, inside organizational information, etc.? Oh,and yeah, imagine the security issue becomes public, and you get a lot of free
advertising of the unwanted type.
The direct or short term costs might be somehow possible to guesstimate (like fines, law suits, support for official investigations, and more). But how would you rate the media fallout on your reputation, trust from customers, employees, and markets; the effect on your sales, or your ability to hire the best talent? At which point does a humble “data leak” turn into a threat to the very survival of an organization?
The Economist leans on a study by researchers at Carnegie Mellon University who found that almost half of studied cases involved losses of more than $1m.
One of the outstanding examples to this point is US retailer Target, who are estimated to have occurred US$1 billion in damages after a massive leak of credit card data.