Warning Signs

Malicious insider leaks are up by over 50% in the first six months of 2009, according to the latest KPMG research.

More and more people are being tempted to steal vital data from their employer - data that could be used in a crime or passed to competitors. This is one of the main findings of the 2009 Data Loss Barometer, KPMG's analysis of lost and stolen information.

"A combination of economic pressures and tempting offers from organized criminals has led some employees to see theft as an option,” says Edge Zarrella, Global Head of IT Advisory for KPMG. Such a claim is supported, to take just one example, by the case of a U.S. employee working within an HR department who stole information on at least 10 fellow employees. He passed the information to a relative who used it to open accounts and buy thousands of dollars worth of goods. And earlier this year, a senior manager of a financial institution in Japan, with privileged access to its systems, stole and sold-on its entire customer database.

"People are often the weakest link in the chain,” says Zarrella, "so it's more important than ever to keep a firm control on those individuals with access to sensitive internal systems and data.”

This rise bucks the overall downward trend in reported data loss in 2009. Almost a third fewer cases were reported than in the first six months of 2008. There are two possible explanations for the fall. Firstly, following several high-profile incidents in 2007, many organizations are more aware of the need to protect information. Secondly, media focus has shifted onto the wider recession.

The impact of data loss continues to rise, however, with more than 110 million people being affected during the first six months of 2009. A large portion of this figure relates to a breach at Heartland Payment Systems, where more than 100 million credit/debit card details were allegedly accessed by hackers. The incident is at present one of the largest data breaches in U.S. history.

Government plays catch-up

While many sectors are upping their game and reducing cases of data loss, one big exception is government. There has been an 18 percent increase over 2008 - and almost 30 percent over 2007. This is particularly worrying given the high public and media attention in such cases.

One industry that appears to have got its act together is the financial services sector, which has seen incidents of lost information fall by more than two-thirds.

"Financial information and intellectual property is highly valued by an identity fraudster or criminal”, comments Zarrella, "so it is encouraging to see banks and other institutions placing greater focus on protecting this data.”

Despite such encouraging progress, he warns against complacency. "At a time when fraud in general is on the increase, criminals will continue to look for ways to access personal accounts. So financial companies cannot afford to take their eyes off the ball.”

What's on that laptop or memory stick?

Although the theft of laptops is still the most common of all data security breaches, the total number of such incidents has almost halved since 2008.

There has also been a significant drop (of 20 percent) in the number of portable media (USB keys, BlackBerrys, mobile phones, etc) that have gone missing, although cases are still all too common where personal data is inadequately protected. In Norway, a USB key containing records of psychological evaluations was lost and eventually found in a public car park.

It's possible that such cases are so commonplace that they go unreported except in exceptional circumstances - for example, when memory sticks containing millions of names go missing. Such was the case in

Germany, where a telecommunications company lost a disk containing details (names, addresses and contact details) of 17 million customers in 2006, only for the incident to be reported in 2008 following news that the data had been offered for sale on the internet.

And, as Zarrella warns, these devices are holding ever-increasing amounts of information. "You're only one high-profile incident away from potential disaster,” he warns. "Organizations should be fully aware of the risks and have a platform for internal incident reporting and analysis.”

When it comes to theft of portable devices, criminals are likely to care less about the actual devices than the data they contain, which could be used directly or traded on the black market. Encryption of laptops and other portable devices should therefore be a minimum requirement. However, our research shows that, for 2009, no protection measures had been applied to at least 24 percent of lost or stolen portable devices.

Encryption is not an option for plain hard copy, of course, and the casual discarding of such papers continues to pose serious security risks. Incidents of improper disposal of hard copies are up by nearly a quarter this year, suggesting that many companies should look again at their handling of confidential waste.

No room for complacency

Despite there being fewer than expected data losses in the first half of 2009, the continuing economic slowdown could well see the number rise to match the record tally of 2008 (703); malicious theft being a particular worry.

Moreover, the trend in data loss incident reporting could also be on the rise, says Zarrella: "One of the potential influences [of this rise] is possibly the changes to laws on disclosure of lost data.”

It is likely that many national governments may mandate the public notification of data loss incidents, particularly in Europe where the e-Privacy directive has recently introduced a data breach notification requirement. The U.S. and, to a lesser extent, the UK have provided the bulk of reported cases to date, but Zarrella predicts that may change. "Don't be surprised when the media start to take more interest once these laws are passed. We may start to hear a lot more from Europe, Asia-Pacific and beyond”.