Blinders: Careless insiders -- not malicious ones -- are the No. 1 threat to data security, according to a recent Ponemon study, in which IT professionals said 88 percent of all breaches involved negligent insiders. "If there were more employee awareness about security, the number of breaches would come way down," Muller says. In Pfizer's case, the employee's spouse had configured the software so that other users of the file-sharing network could access files the spouse had stored on the laptop, but that gave people access to Pfizer files, too.
Combine negligent users and file-sharing software, and you've got a dangerous mix. Although most companies have outlawed P2P file sharing on their corporate networks, according to a 2007 study by Dartmouth College, many employees install it on their remote and home PCs. The study found, for example, that employees at 30 U.S. banks were sharing music and other files on peer-to-peer systems and inadvertently exposing bank account data to potential criminals on the network. Once business data is exposed, it can spread to dozens of computers around the world.
Eye-openers: First off, IT needs to either ban P2P software entirely or set policies for P2P usage and implement tools to enforce those policies. "[Pfizer] should have done a better audit of their systems to stop employees from loading any software," Muller says. "You can take away their admin rights so they can't install anything." Also important is training, he says, so users understand the dangers of P2P, what makes a good password and other standard security practices.
"There's a huge need for education so employees understand we're not trying to make things difficult but that bad things could happen," Semple notes. "It's having them understand, 'I can't do this, and here's why.' "
5. Subcontractor breaches
In November 2008, the Arizona Department of Economic Security had to notify families of about 40,000 children that their personal data may have been compromised following the theft of several hard drives from a commercial storage facility. The drives were password-protected but not encrypted. The agency says no information was used to commit fraud.
Costs: Subcontractor breaches are more costly than internal incidents, averaging $231 per record compared with $171, according to Ponemon.
Blinders: According to Ponemon's annual cost study, breaches by outsourcers, contractors, consultants and business partners are on the rise, accounting for 44 percent of all cases reported by respondents last year. That's up from 40 percent in 2007. In the ITRC study, 10 percent of breaches were associated with subcontractors in 2008.
Eye-openers: Companies need to create service-level agreements that are airtight and specific, and then ensure that subcontractors are in compliance and penalize them if they aren't. In cases that involve the use of backup tapes or disks, Semple says, insist on encryption and password protection.