Sam Dekay

An Analysis of the Privacy Rights Clearinghouse “Chronology of Data Breaches” and Implications for Information Security Professionals (pt. 2)

All sectors are required, by the plethora of state and local data breach notification laws, to report incidents involving actual or potential unauthorized disclosure of personally identifiable information.  Yet, three of these sectors (education, government, and private business) report significantly higher numbers of data breaches than financial services or health-related organizations.  It is possible that these latter two sectors, having been regulated by federal privacy mandates for many years, have developed policies, procedures, and processes that encourage an awareness of the importance of protecting privacy.  The state-initiated breach notification laws appear not to have influenced the frequency of incidents to the same extent as have the federal mandates.  Perhaps, however, future Congressional implementation of a nationwide breach notification mandate will alter this situation.

3.  The debate between “malicious insider” vs. “external hacker” (or “malicious outsider”) has perhaps obscured the real perpetrators of many information security incidents.

Information Security professionals are infatuated with the debate concerning whether the “malicious insider” or the “malicious outsider” (usually a hacker) is responsible for most security incidents, especially those involving unauthorized disclosure of information.  This debate has continued within the pages of this blog and has, perhaps predictably, excited controversy.

Analysis of the Clearinghouse database of breach incidents provides insight concerning this debate.  In 2007, the majority of breaches that actually involved identity theft or other fraud were caused by “malicious insiders” (4 of 7 incidents).  However, a majority of the 330 total incidents were attributed to “malicious outsiders” (hackers) or to insiders who accidentally disclosed sensitive information (for example, employees who carelessly disposed of sensitive records into a dumpster).  More specifically, 17% of incidents were caused by hackers, and between 36% and 80% of breaches were the fault of careless employees-including network architects, information security staff, and consultants.

It seems that InfoSec professionals must cease the dualistic thinking that posits two types of “bad guys”-the malicious insiders and outsiders.  There seems to be a third group that, while unrepresented in the debate, is actually responsible for a great many (and perhaps the majority) of security incidents:  The Careless.  These are the individuals who fail to notice that hundreds of bank statements are sent to incorrect addresses, who do not take the time required to shred documents containing personally identifiable information, and who neglect to detect vulnerabilities within a network architecture.  Unfortunately, the Careless wreak considerable havoc upon the organizations they serve-perhaps more havoc than Information Security has, to date, recognized.

Post a Comment

Your email is never published nor shared. Required fields are marked *