Category Archives: Insider Threat

The Shocking Facts About Data Loss Protection You Didn’t Know

Data loss is, quite simply, a reality for businesses operating in the 21st century. It is often thought about as caused by external threats such as cyber attacks. But data loss is also caused by internal threats and is often more dangerous as it can affect companies of any size. We’ve rounded up some shocking facts about data loss protection you need to know about:

Over 50% of critical corporate data sits on unprotected PCs

Remote work has only really started to come into its own in the last five years and it is increasing at a truly rapid pace. Unfortunately, businesses do not seem to be ensuring that their DLP and cyber security plans keep up with the way their industries are changing. Personal computers, particularly laptops, but also home desktops possess the same levels of risk when it comes to internal loss of data. 

Small businesses that experience drastic data loss go out of business within a year

Probably the most shocking statistic for SME and SMB owners. The harsh reality is that, if a sufficient DLP strategy is not put in place, you may lose data via internal sources. Sometimes it’s malicious, sometimes it comes from simply a careless click.

Think about your company’s most sensitive data and what its release would mean in terms of a worst case scenario. Would you be financially liable to the individuals concerned? Would it ruin your company’s reputation? Are you likely to be seriously affected if a competitor sees your intellectual property? If the answer to any of these is yes, you should be seriously considering updating your DLP strategy, or implementing one if you don’t have it already. 

75% of all mobile apps fail a basic security test

Regardless of whether you supply employees with a company mobile or if you have a Bring Your Own Device policy, your employees will install apps on their phone.  This is both an internal and an external threat. The employee installs an app on their phone that does not have sufficient security – an internal threat. The levels of encryption that you have put in place can now be breached – an external threat. A good DLP strategy will see that you have buy-in with your employees to ensure that they know the risk of what they are downloading and outline necessary steps and criteria to follow.

Cyber crime damage costs to hit $6 trillion annually by 2021

And cyber crime is reportedly the fastest growing crime in the United States. While this refers to all cyber crime, not just internal data loss, it still sits as an astounding figure. Data Loss Protection strategies work hand in hand with additional cyber security measures. Many of the precautions you take to protect against internal threats will also protect against external threats but it is essential that you address both so that your company does not contribute to this statistic.

Data loss protection is all about managing risk. You can’t eliminate it completely but its important to stay on top of where the trends and technology are moving to ensure that you have your company and its sensitive data covered. These facts will hopefully make you see the huge global impact of data loss and the effect that a well-communicated DLP strategy can have.

How To Know When It’s Time To Upgrade Your Data Loss Prevention Strategy

Tactics that involve prevention and protection always need constant upgrading, changing and reworking. As technology changes and people find new workarounds, so to do you need to continue finding new ways to upgrade your data loss prevention strategy. Obviously, this can be quite time-consuming and costly for small to medium enterprises, particularly, so a sensible approach is to consider when and why you should be looking to improve your data loss prevention (DLP) strategy. This knowledge will allow you to prioritise your company’s resource effectively to help protect against any breaches.

Know the culprit
While much of the attention about data loss points to outside threats from cyber-attackers, it’s estimated that more than 40% of all data breaches occur internally. These can be intentional, but they can also be due to just a careless click of the mouse. Being aware of how your data could be lost, is the first step to upgrading your strategy.

Assess your sensitive information
It’s not entirely realistic for a small or medium sized company to have a mammoth DLP strategy that protects all of the company’s information to a very high level. Nor do most companies want that as it often comes with an increased level of administration that would significantly decrease an employer’s output, were it to be applied to every file in the company.

So, assessing the files that your company has is crucial to know when to upgrade your DLP strategy. The easiest way to do this is to look at the worst-case scenario for each set of files that your company has. If someone were to accidentally send a file to the wrong person, or maliciously release it to the public, what would the ramifications be for your company, both in terms of financial and that of reputation.

Qualification
Then, qualify your data files into groups – high risk, medium risk and low risk. Most companies with internet security and data loss protection strategies will have all-encompassing security that includes all files, even those low risk. It’s the high risk and, to a lesser extent, the medium risk files that you need to have a strong DLP plan around.

It’s also worth being mindful of whether the strategy covers new files that are created. Is there a process that qualifies this data into the ‘risk buckets’ mentioned above? Your DLP strategy is only as good as how it’s being implemented. If you find that there are gaps when you go through the process yourself, it’s time to look at an upgrade.

Accepting technological change
It can be difficult for companies who have invested a great deal in a solution to look at making significant changes to it. Often there are stakeholders or other parties who may not realise the necessity in doing this and therefore the cause also has to be justified.

However, one of the biggest weaknesses of all DLP strategies is that they are reactive. They constantly have to be told what to look for – the kinds of encryptions and data formats, for instance. As we all know, technology is changing and progressing at an unprecedented rate. Because of this, those encryptions and formats are constantly changing and therefore an effective DLP strategy should be updated accordingly.

So, when? Well, the answer is constantly, but the good news is that there are plenty of affordable solutions of technology that can fill the gaps in your DLP strategy, rather than completely reworking the entire thing – an unnecessary exercise. Software such as classification software can help to combat the issue above and only serves to strengthen your DLP strategy in a cost-effective way.

Although it would be nice to have a set of rules in place to know exactly when to upgrade your DLP strategy, such a set of rules would be unrealistic and not flexible enough to take into account all of the changing variables. Instead, an approach that involves a full assessment, qualification and reworking is best when considering an upgrade.

Data Loss Statistics That Might Shock You Out of Complacency

data-securityWe hear about data loss statistics in the news media from time to time when large breaches occur, often in big multi-national companies or government departments. It’s rare for the news media to report the smaller data breaches as they are less exciting, yet this is where much of America’s data loss is occurring. Internal breaches where employees either accidentally lose data, or do so with malicious intent, happen on a daily basis. These statistics are to help give you an idea of how engrained and widespread the problem is for companies of all sizes:

43% of data breaches are internal
This is an alarming statistic and an often overlooked one. A common misconception is that loss of data occurs mainly from malicious cyber-attackers. While external breaches still count for over half of all data breaches, and are certainly on the rise, internal data breaches are also increasing and account for almost half of all data breaches.

If we were to break that number down even further, half of these breaches were done by accident, and half were intentional on behalf of the employees.

So, what does this mean for employers?
The problem is two-fold so it must be approached in the same way. Firstly, a process-driven approach can significantly lessen the number of breaches that occur by accident. A good data loss protection strategy that is effectively communicated to employees will help to protect companies, regardless of their size.

Secondly, it’s important for employees to consider if there are any environmental factors that may cause an employee to release data intentionally. If there is a high incentive for them to release specific information, such as financial reward or other gain, look at how well that data is protected and whether it is able to be accessed only by employees who need to.

Also look at your company culture and assess whether there is any emotional incentive. Disgruntled employees who perceive, rightly or wrongly, that they have not been well looked after, are often overlooked for the high risk that they present to companies. Sometimes, there’s absolutely nothing an employer can do to stop their employee feeling a certain way, hence the importance of a good data loss protection strategy. However, in many cases, these employees would present no risk at all if companies had sufficient processes and schemes in place that made the employee feel valued.

60-70% of all data breaches can warrant public disclosure
This statistic is the most harmful to the reputation of your company. It comes from an Intel study done in 2015 and is even more relevant now as internal data breaches are on the rise. Broken down, the study found that, specifically, 70% of incidents in smaller commercial organisations, SMEs or SMBs, warranted either public disclosure or had a negative financial impact.

So often, the focus around data breach is on infiltration, or attack from the outside and how to prevent it. However, as studies have shown, many breaches actually come from the inside of small to medium businesses. It’s important for employers and small business owners to take notice of these statistics and consider how they could affect their own companies. Our advice is to be mindful of the data that is in your company’s possession and look at ways to prevent it from being released internally through good company culture and an effective data loss protection strategy.

Enhancing Your Company’s Mobile Security in Ten Steps

Mobile-centric workforces are a present reality, and, more and more, a way of the future. They enable your employees to be anywhere and everywhere, which also means that your company’s precious and sensitive data is moving with them also. So, how to prevent against the threat of data loss from internal sources, both by accident and maliciously? Here are ten easy steps you can take:

  1. Use a lock screen and biometrics technology

Pretty simple stuff but it is very surprising how few companies, particularly SMBs, insist that this procedure is followed by their employees. Preferably employees will have both smartphones and laptops that come with built-in biometrics technology that can identify them through retina or fingerprint verification.

  1. Create a BYOD policy

You may or may not provide employees with devices. If you don’t, it’s important to create a BYOD (bring your own device) policy, where employees follow a procedure on their own devices to bring them up to speed with company security policy. Mobile device management platforms are a great way of implementing these. These procedures should also give you the ability to wipe their phone data remotely in an emergency situation.

  1. Purchase unlimited data contracts

This might not always be possible with budget constraints, but it is the most effective way of preventing employees connecting to unsecured Wi-Fi networks when they are in public places.

  1. Encrypt, encrypt, encrypt

The more you can encrypt the better to prevent ‘leaky’ code or to help prevent data being revealed if it is leaked by accident. File-level encryption protects data on a file-by-file basis, and key and certificate management is also highly important to protect.

  1. Strengthen passwords

Many employees still use old and unsafe passwords, merely because they’ve never been reminded to update them. As part of company policy, ensure that all passwords have to be of a certain strength and changed on a regular basis. This will help against the threat of data loss protection, not only from a mobile security standpoint, but also within the office.

  1. Testing

Ideally comprehensive testing will be included in the network security firm who puts together your mobile security package, but you should also be testing yourself to find any cracks. Upon initial implementation, encourage employees to ‘break the system’ with unclassified information. When the people who will be using the mobile systems are able to get around the technology at the very beginning, it’s likely to happen again and therefore needs to be fixed.

  1. Device protection

More relevant for SMBs with BYOD policies, ensure that the devices used are not jailbroken or a rooted device. This removes the in-built security measures that come with smartphones, which are fairly sophisticated and help to complement your company’s own security policies.

  1. Mobile app choice

When downloading any app on a phone, for both personal and professional use, it’s important that employees don’t download apps that could compromise data protection. Ensure that employees view the download of apps the same way that they view downloading foreign files, or opening spam emails – with caution.

  1. Inform your employees

Further to this, it’s helpful to inform your employees what potential threats could look like. While these are technically external threats, you can reduce the internal threat of employees clicking on harmful phishing links by educating them that these could come from banks, tax departments, the Board of Directors, and what to do if they’re unsure.

  1. Update the technology

Software updates for laptops and mobile devices generally include a large number of security patches and updates. Ensure that you and your employees are as protected as you can be by updating as soon as the notification comes through.

Many employees don’t have any intention of leaking a company’s sensitive information, they are just totally unaware of how they are inadvertently doing it. Creating a workplace where employees are taught to view mobile security as an important part of their job, whether it’s disconnecting from public Wi-Fi areas, or strengthening passwords, it helps to educate and empower them to start taking mobile security into their own hands. This, combined with mobile device management platforms that help to protect against internal loss that occurs intentionally, will ensure that your company has a solid mobile security policy.

How to Use Prioritization to Enhance Your Data Security

Data loss prevention and data security can sometimes feel like a daunting and money draining task, particularly for SMBs. But cyberattacks and loss of data can be some of the biggest risks an organization can face in this modern-day climate. Companies don’t need to be big-name enterprises with large IT departments in order to operate as a top-performer in data loss prevention. When it comes to protecting companies and individuals from data loss, prioritization of data protection is key to successfully managing security, while still operating a well-running company.

  1. Knowledge is power

There are many studies that suggest that around one third of all companies lack sufficient policies for data encryption, classification and security. Knowing the risk and how your company might be affected is the first step towards data security.

  1. Consider the options

What is actually realistic for your business? While it is tempting to get caught up in the sophistication and benefits that some of these security systems hold, it’s important to prioritize what your company really needs for full protection. Extra benefits are nice-to-haves, and most security companies will scale plans up and down, so these can easily be considered once a working plan is in place.

  1. Learn about your company’s data

Back to the first point, knowledge is power – in order to be able to optimally prioritize data for security purposes, you need to know about your company’s data. What it does, who uses it, and how it moves around your computer systems. Depending on the size of your company, there are some mapping tools that can be put into place to assess this but you should also be looking for a general feel. In addition to the sophisticated software that’s out there, there’s an element of common sense to data security – if you think data could escape a particular route, it probably can.

  1. Top down data prioritization

Once you know the ins and outs of your company’s data, it’s important that you begin to assess the risk that a breach in data security poses for the different kind of files your company possesses. The higher the risk, the more priority needs to be given to ensuring that the data security around those files is impeccable.

  1. Balance it out

Bear in mind that often the more security and process you place around data, the more administration you are placing on your employees. Policies and verification processes all take time, and this adds up if it is manual time on each and every file the employee is using. Consider the effect that the loss of a particular piece of data will have on your company if it is released from your secure system. If the consequences are not high, and it’s much more effective for your business to run efficiently without cumbersome processes around those files, then go with that.

Prioritizing the kind of security that you employ to protect your company, and how you implement it, can sometimes mean the difference between being able to install security and data loss prevention plans in your company, or becoming like the one-third of businesses that have not done so. With these simple techniques, you should be able to efficiently breakdown and prioritize how to effectively go about protecting your company through data security.

Why a Data Breach Could Change Your Life – And What to Do About It

data loss preventionThe sensitive information of individuals is big business in the criminal world. An individual’s medical record can collect up to $50 on the black market, 50x that of a credit card record, and that’s before money has been elicited by using the record itself. Data breaches aren’t just confined to medical and financial though, in the modern world we are seeing trade secrets, intellectual property and other identification information being viewed or stolen by unauthorized individuals. Data breaches can dramatically affect your life, both as an individual citizen, but also as an employee or business owner. Fortunately though, there are ways to protect yourself.

Getting down to business

From a business perspective, data breach can be hugely damaging, to a company’s reputation as a whole as well as the consequences of what that data breach will bring. Particularly for companies that trade in knowledge sectors, data breaches can have hugely impactful and long-lasting effects if intellectual property or trade secrets are obtained by an unauthorized source. Companies have seen their long-term earning capacity significantly reduced, or even wiped out, from data breaches.

While the media generally highlights data breaches that happen on a mass scale to large and well-known brands, it is small to medium enterprises that can be hit hugely as their technology and processes are often not strong enough. Some studies suggest that almost 30% of SMEs have no plans in place to deal with security threats.

How to turn things around

A data breach response plan is crucial to maintaining the safety of your business. Sometimes it’s helpful to think about the digital risk of a data breach in the same way as a physical risk to your company, such as fire or theft. No company would operate without basic policies around high-risk areas, and data breach should be considered in this group.

A good data loss protection plan and state-of-the-art security will equip your company with the right tools and software to protect against ransomware, and inadvertent loss of data. But a truly great data loss protection plan is one that pre-empts the catastrophe by ensuring that all employees understand the level of risk associated with a data breach and are committed to putting in place best data loss protection practice in order to minimize the risk.

On an individual level

Whether you’re a business that holds sensitive information regarding individuals, or from an individual perspective, it is important to know the risks associated with having your personal data compromised. Of course, the consequences of stolen financial and medical records are fairly evident, but with the rise of sophisticated ransomware and malware techniques, criminals can embed themselves on your computer and commit serious crimes identity theft that you may not even be covered by in your insurance.

What to do about it

Firstly, look into how you’re currently protected on an insurance and a digital level and make the appropriate changes. Contact your bank and talk about options to protect your credit card online and fully understand their policies if your details are compromised. Shop around – protection isn’t standardized and different financial companies will offer different types of protection. That goes for your medical insurance also, contact your provider and get a clear understanding of what will happen if there is some kind of breach.

Then it’s time to look into your cybersecurity. Cyber criminals have gone from strength to strength in recent years so it is imperative to update your security and ensure the settings don’t ever have it sitting in an idle state. It’s also an excellent idea to look into password storage facilities like LastPass that enable you to have a different password on websites, particularly those you are sharing sensitive information with. Opt for a two-step verification process on any website that has it and use different security questions on different websites, where they are offered.

Data breach can have far-reaching and long-lasting effects on both individuals and companies. Put simply, the only way to combat this kind of criminal activity, as a citizen and as an SME or SMB, is through protection. For businesses, this involves a strategic data loss protection plan, as well as a crisis management plan if the worst happens and sensitive information, particularly that of individuals, gets into the wrong hands. For both businesses and individuals, computer security and prevention techniques when it comes to websites where your data could be compromised, are essential to mitigating the life-changing risk of a data breach.

Healthcare Industry Data Loss Problems – And Their Easy Solutions

According to a report by the Ponemon Institute, nearly 90% of healthcare organizations suffer data breaches. Internal threats such as mistakes—unintentional employee actions, stolen computing devices—account for nearly half of the data breaches. This statistic certainly serves to show the staggering problems around data loss in the healthcare industry. While the scale of the problem, and therefore the solutions to it, may seem incredibly vast, there are actually strategies healthcare organizations should be implementing in order to combat this high-risk situation.

Why is theft, or loss with malicious intent, so high?

Firstly, medical records can fetch up to 50 times that of credit card records on the black market. While that may seem far-fetched, it’s surprisingly not, given the amount of credibility medical records hold when it comes to identification. Criminals can easily use medical records to fraudulently bill insurance companies, obtain prescription medicine, in addition to other identity theft practices.

The move to digital and the losses that come with it

The digitization of medical records has been seen as a long overdue step by the medical community to reduce mounting hospital administration and provide patients with more reliable diagnoses and care. Proper due diligence isn’t being paid when it comes to data loss protection for a variety of reasons, budgeting, outdated technology and lack of knowledge among them. As a result, breaches into healthcare systems are becoming more and more commonplace, particularly as online criminals become more skillful, as well as hospital staff accidentally releasing sensitive patient information.

The problem areas

Data loss is considered to be one of the most commonplace ways for healthcare organizations to lose a patient’s medical files. The main problem areas include criminal attack, a stolen computing device, unintentional employee action and technical glitches in the system.

The root problem

At the root of these problems are outdated legacy systems and medical devices and poor training in data loss protection. Healthcare organizations have an extremely unique set of challenges when it comes to digitized information. Particularly for hospitals, the scale at which they work, is huge. The number of individuals who have files stored on their systems, as well as the number of medical professionals who are not highly skilled in computer literacy, is vast. Combine this with computer systems that need updating and a lack of budget to do so, and it is easy to see why data loss is so prevalent in the healthcare industry.

The solution

The solution to the problem can be simplified into two parts – update computer systems so that strong security measures can be put in place, and implement a data loss prevention strategy across the organization. The first solution requires budget, but it is imperative that this is prioritized. Ransomware and malware are becoming an increasingly prevalent, malicious, and ruthless way of obtaining data. Trends suggest that it will become even more of an issue in coming years and the only way to combat it is through state of the art security measures.

A data loss prevention strategy, while still costly, especially if implementing on a large scale, is more of an upfront cost and a slow burn investment. For healthcare organizations, a data loss prevention strategy is an incredibly cost-effective way to protect against data loss as much of it involves staff onboarding and communication in order to make it work. Of course, software systems need to be installed to protect files, but much of the hard work comes from ensuring that all staff understand what they need to be doing in order to avoid the inadvertent leakage of sensitive information.

With just a quick online search, you can see the mounting concern about protecting patient data in the healthcare industry, and the ever-growing and alarming statistics about how much data is currently being compromised. Healthcare organizations need to reprioritize budget in order to implement easy and effective solutions like state-of-the-art security, and a data loss prevention strategy that has buy-in from staff working both in hospitals and medical centers on network devices, and remotely on mobile.

5 Common Misconceptions About Data Loss Prevention Debunked

In an age where sensitive information lives in clouds and on endpoints, instead of behind lock and key, Data Loss Prevention has become big business. That infamous saying ‘at the click of a button’ now has to be a carefully monitored click to ensure that critical information isn’t shared with the outside world, either maliciously or by sheer human error. DLP can be a confusing area of the technology industry, not to be confused with its anti-virus counterparts, so we’re here to debunk some of the most common misconceptions people have around DLP:

The threat is from the outside
The ‘which is worse’ debate is hotly contested between inside vs outside threats, with the likes of Intel suggesting that internal actors were responsible for 43% of a company’s data loss, and half of this activity considered malicious, half accidental. Regardless of which statistical report you believe, internal threats make up a huge amount of a company’s data loss, particularly as internal threats have greater access to this data. They shouldn’t be ignored to focus on the, often perceived as more dangerous, outside threats.

Ready-to-wear solutions
Outside threats have held huge significance in our lives over the years – of any technological breach, outside threats are the ones that take up the most space in our news media, and what we absorb from the internet. Because of this, some company’s approach DLP from an ‘outside threat perspective.’ That is, they talk in the language of patches, firewalls and anti-malware. DLP needs a different approach because it is not a piece of software. The exciting thing about DLP is that it is an all-encompassing, working strategy fitted to your company, rather than an out-of-the-box, download it and hope it works software solution.

Call the IT department
Similar to our last point, there can be a misconception around who should be running a DLP strategy within a company. While DLP incorporates many technological elements to it, thinking that it should be an IT responsibility is along the same lines as treating DLP like it is simply software. To truly get the most out of a DLP strategy, it needs buy-in from all corners of the company. The threat is from the inside, therefore all those on the inside must be on-board with minimizing it, in order for it to work. How to do it? Delegate responsibility to its relevant skillset. Certainly pass over the specific technological aspects to the IT team, but also think of creative ways that leaders and communications specialists can communicate direction and action points to all staff.

Productivity grind
We have all experienced the dreaded words ‘new strategy’ at certain times in our career to be synonymous with ‘new admin’. It’s a common misconception that Data Loss Prevention will be time-consuming and add unnecessary frustration to a staff member’s already busy day. It’s crucial that we debunk this one as it is what will inevitably derail that buy-in from all staff members. DLP has been in the marketplace for a significant enough amount of time that its systems and protocols are fine-tuned and highly personalised. Professionals can look at a company and tailor a solution that’s convenient and efficient in requiring authorization only where it is needed. The key to this is, of course, how DLP strategy is implemented at the start. If policies clearly outline the levels of authorization, this clears up any risk of blanket rules applying across companies and slowing things down.

Too big to handle
For many small companies, DLP can seem overwhelming and the question is often raised as to whether it is really necessary for a small business to implement. The risk of data loss applies to all companies, big or small, so the question should be framed more around how sensitive the information is and how catastrophic it would be, should it be leaked. If the risk is high enough for either, then DLP shouldn’t be considered a solution that is too large for a small company. Because DLP is a series of policies and protocols, as well as the technological aspect, it can be applied incrementally. What is the area of a company that is most at risk? Set up DLP procedures around that data only and move on to the next important set of documents when you can.

While none of us want to believe that the employees who work for us, or alongside us, are capable of maliciously leaking sensitive data, the reality is that they are, as well as leaking it by accidental means. The Data Loss Protection marketplace looks to combat this with an holistic approach that involves more than just software and IT teams – it’s a company-wide program that, whose ownership firmly lies in the hands of the people who use it, not the technology itself.

Data Security Priorities for SMBs in 2017

Small- and medium-sized companies (SMBs) are equally vulnerable to cyber threats and data breaches as large enterprises. According to a survey of SMBs conducted by Ponemon Institute, nearly 55% of respondents said that they experienced a cyber-attack, and at least 50% had a data breach in the past 12 months. It was also revealed that negligent employees, contractors and third parties caused most data breaches.[1]

Here are the key reasons why SMBs are becoming more vulnerable

  • Security policy is not well defined.
  • The software and methods that are in place to prevent the breach are either obsolete or not capable enough to prevent the data leakage.
  • Lack of training to the employees.
  • Not enough budget is allotted to thwart the threat.
  • Strict adherence to follow the security procedure is lacking – weak or repetitive passwords. Encryption is missing in most of the cases.
  • BYOD policies are missing.
  • Protocol to be followed in case of leak is not defined, which could in turn restrict the extent of data loss.
  • There is rarely a dedicated IT personnel overlooking the security of the system. Thus, 24/7 observation is

For all of these reasons, the loss of sensitive data is often due to negligence of the company personnel. A lot can be averted if the following requirements are addressed in the security protocol.

These essential steps are recommended for SMBs to follow and implement in order to mitigate data breach threats.

  • Regular training sessions should be conducted for the employees. Users should be educated about cyber security and informed on how to deal with the sensitive information safely.
  • Password encryption should be a must. Implementation of two-factor authentication is an easy and affordable way to safeguard the cyber content.
  • Account management should be implemented. User-defined roles should dictate who gets what kind of access to the sensitive data. Authentication of the user and the device being used to access the information should be verified.
  • Clearly define the BYOD policies to the employees so that intentional or deliberate loss of data can be mitigated.
  • Software used should be current, thus making it less vulnerable to cyber threats.
  • Policies around what data can be copied and how and where it can be duplicated should be laid out for the users.

As we step into 2017, SMBs should start gearing up to implement tailored protocols to defend against data breach, particularly from insiders. Along with taking the steps mentioned above in stride, employees should be scrutinized for their behavior in the office. Even at the time of recruitment, proper background screening should be conducted. Getting the right kind of employees and following up with a robust plan for security will aptly help mitigate the threat.

[1] http://www.ponemon.org/blog/smbs-are-vulnerable-to-cyber-attacks

2016: Data Breach Statistics, Year until 10/19/2016

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. Let us see how some sectors have been impacted as of October 2016. The excerpts below only provide a glimpse of some of these incidents – the list goes on.

Government

August 26, 2016 – County of Sacramento, California, issued a statement that an unknown number of records with personal data were exposed due to an error in the online automated application for Emergency Medical Service license. The information included name, address, social security number, driver’s license, phone number, date of birth of the applicants. Although there has been no report of misuse of PII, yet the county offered one year credit monitoring services of Experian to the affected people as a precaution.

Source: California Attorney General

 Healthcare

September 26, 2016 – One worker at Yale- New Haven Hospital and her friend were arrested for illegally procuring classified personal information of at least 20 near death patients and using the stolen data to obtain credit cards, becoming beneficiaries in their insurances among other planned crimes. This had been going on for two years before they were caught. A year’s credit monitoring has been offered to the victims.

Source: Media: News 3

August 12, 2016 – Bon Secours Health System disclosed that R-C Healthcare Management, a third-party vendor managing their Medicare and Medicaid reimbursement, accidentally left patients’ files accessible over the internet while updating network settings. About 665,000 records containing patient name, health insurer’s name, health insurance identification number, social security number and some health information was exposed to the general public. A forensic investigator was hired to correctly identify people that were affected by this breach and then informed about the incident. 435,000 were from Virginia and the rest were from Kentucky and South Carolina. No misuse of the exposed data has been reported so far.

Source: Media: http://www.nbcconnecticut.com/

Business

September 22, 2016 – Premier America Credit Union, California, reported that a departing employee sent an account list containing name, address and maybe social security and/or employer Identification number to his personal email address for most likely solicitation purposes in future. The employee was reminded of his obligations and company regulations and advised not to use any of this information for any purpose. The management further offered complimentary one year credit monitoring services of Experian to the victims.

Source: California Attorney General
August 8, 2016 – 7-Eleven reported that in June 2016 during a regular maintenance cycle some of the franchisees received the records of employees other than their own franchisee’s employees. The exposed information contained name, address, phone number and social security number of 7,820 employees. The correction was completed within 5 days. 7-Eleven offered 12 months of First Watch Technologies’ professional identity monitoring service to the victims in addition to $1,000,000.00 in identity theft insurance with no deductible.

Source: California Attorney General