An article by Mathew Schwartz of InformationWeek, “Hackers, Insiders Behind Most Identity Theft,” caught my attention this week – not because it highlights a new risk for organizations, but because it illustrates the old adage, “the more things change, the more they stay the same.”
The article recaps a study by the Identity Theft Resource Center (ITRC) of 662 data breaches in 2010, which accounted for 16 million exposed records. (The number may sound low, but keep in mind that only 51% of the reported breaches included the number of exposed records, and not all breaches are reported.) According to the article, the ITRC study found that of the reported breaches:
- Nearly two-thirds of breaches exposed people’s social security numbers.
- The leading malicious causes of data breaches were hacking attacks (17.1%) and insider theft (15.4%).
- 26% of breaches involved credit or debit card data.
The article is an important reminder that the insider threat is still very real and represents a significant risk to the business. As you look at how your organization is managing this type of risk, don’t fail to look beyond your employees to any individuals in your organizations that have authorized access to proprietary data, critical files, and applications.
A very interesting article from CERT profiles the insider threat posed by “trusted business partners” – a category that includes contractors, temporary workers, business partners – any individual that performs services for you, but is not an employee. These types of users easily fall between the cracks in fast-paced organizations and can be largely unsupervised â€“ escalating the risk of insider threat tremendously.
As we enter the New Year, I encourage you to take a fresh look at how you’re managing the insider threat. Identifying your high-risk users (both employees and non-employees) should be a top priority. There’s no time like the present to make sure your organization has the proper IT controls in place to minimize that risk by eliminating orphan accounts, conducting regular reviews of shared and privileged accounts, detecting and remediating SoD policy violations, and reviewing the access privileges the access privileges on a regular basis.
The right identity governance tools can significantly strengthen your controls over non-employee access privileges by tagging contractors, temps, consultants and enabling on-demand reporting and analysis on them. You can also assign owners to these types of users (who often don’t have a manager) and ensure those owners regularly review and approve the users’ access privileges.
Lastly, because non-employees often transition from project to project, it’s a great idea to use temporary role assignments (with expiration dates) to ensure that trusted business partners do not retain access privileges long after a project is completed.
With these baseline measures in place, you’ll be in a great position to meet the challenges ahead in 2011 – whether those are new regulations, new business challenges, or new threat profiles.