Data Theft Risks & Costs Exposed
Any business that uses electronic communications is at risk of electronic data theft. Theft or loss of customer records, business plans, and even sales presentations can result in legal action, brand damage or a rapidly dwindling customer base. Yet, according to a May 2007 study, 85% of organizations surveyed reported that they have had a data breach event.

But just who is stealing data? Surprisingly, insiders are four times more likely than outsiders to be the cause. More often than not, breaches are the result of employee error, with intentional theft by employees the second most likely cause.

The Risks
How vulnerable is your data?
With computers and e-mail now the backbone of business communication, protecting your organization is no longer a matter of locking the filing cabinet. Today, 90% of a company’s intellectual capital can be found in digital format. At any given time, 45% of those ideas can be found in the e-mail system.

What’s at stake?
The amount of confidential information on today’s company network and mail servers is only one reason why data theft is so dangerous. Data theft can affect:
• Legal liability
• Compliance with regulations
• Corporate reputation and brand
• Ability to compete in the marketplace

More than a red face – the bottom line
Data theft is one of the most expensive security incidents a business can face. In 2006, total costs averaged $182 per lost customer record, an increase of 30% over 2005 results. The average total cost per reporting company was $4.8 million per breach, and ranged from $226,000 to $22 million. For the 93 million records compromised in 2006, the total cost was $16.9 billion.

Know your enemy
Businesses rate hackers as the biggest IT security worry (37%), over current employees (18%) and terrorists (2%), but data theft statistics tell a different story. The number one cause of data breaches is employee error. Coupled with deliberate data theft, insiders are four times more likely than outsiders to cause data breaches.

The insider threat
Even the best employees can leave organizations exposed by accident. Poorly trained or disgruntled workers are a particularly high risk. While good management can reduce the risk of employee error, intentional data theft is less easily controlled, and is far more prevalent than employers would like to think.

A survey of 400 business professionals found 70% had stolen corporate IP from their employer when they left a job. The thieves felt they owned this information and were entitled to take it with them. The survey noted the most commonly stolen items were e-mail address books (54%), sales proposals (33%), and customer databases or contact information (30%).

In July 2007, Fidelity National disclosed that a database administrator had illegally downloaded and sold customer data from 8.5 million consumers to a data broker. The data included names, addresses, birth dates, bank account and credit card information.

The outsider attack
Unknown outsiders and ex-employees are also a serious threat, responsible for over one in six breaches. Attractive targets for cyber criminals are customer databases, which can be plundered to commit identity fraud, as well as network and internet banking passwords.

Perhaps the most notable this year, was the theft of credit card data on 45.7 million customers of TJX — parent company of retailers T.J. Maxx and Marshalls. Company officials say hackers may have pilfered bank card data as customers making purchases waited for their transactions to be approved. TJX transmitted the data to banks "without encryption," a violation of credit card company guidelines.

What puts your business at risk?
The Mobile Workforce
With notebooks now outselling PCs, workers are taking confidential data with them when they leave the office. The personal data of roughly 1 million Ohioans was lost when a 22-year-old intern took a "data device"— a laptop or data storage device—home as part of the state's security procedures. Ironically, the purpose of the procedure was intended to provide a backup of the sensitive data. She left the laptop in her car, however, and it was subsequently stolen while the car was parked in her apartment complex.

From 2005 to 2006 there was an 81% increase in the number of companies reporting stolen laptops containing sensitive information. According to a 2007 McAfee and Datamonitor survey, an ordinary notebook holds content valued at $972,000, and that some could store as much as $8.8 million in commercially sensitive data and intellectual property.

Data can also be compromised when employees connect laptops to less secure networks when out of the office.

Unsecured e-mail
While unsecured e-mail can be intentionally exploited to steal data, unwitting accidents can also lead to serious breaches. With e-mail now more widely used than ever before, accidents are shockingly common.

In a recent study, almost 30% of employees said they had received an e-mail not intended for them. E-mail accidents can range from careless ‘reply-all’ mistakes to poor document control, particularly when confidential files are incorrectly attached and distributed. The speed of e-mail also means that disclosures can be made without proper forethought or clearance from supervising staff.

More than 25% of employees in this same study admitted to sending an e-mail to the wrong person. For one in five, their accidental e-mail contained confidential information.

Data slurping
Data slurping is fast becoming one of the biggest data theft threats. The low price and widespread popularity of portable storage devices, like USB keys and portable media players, mean every employee can own one. Today, 1GB costs less than $100. The popular Apple iPod currently boasts a worldwide circulation of over 40 million. Most mobile phones double as portable storage too. Standard portable devices offer enough storage to store lengthy documents, customer databases, financial spreadsheets or confidential presentations.

Along with the risk of intentional misuse, employees who take work home using a portable storage device could inadvertently compromise confidential data by transferring it to a poorly protected personal computer.

Instant messaging (IM)
The rise of instant messaging (IM) applications are also opening up new areas of data theft risk. Fifty-seven percent of workers have used IM at work for personal reasons. Much like e-mail, IM programs can be used to smuggle files and information out of an organization, yet conversation threads can’t be logged without dedicated software.

Yahoo, the developer of one IM program, became a victim itself in early 2006 when seven former engineers and business development staffers stole confidential information via IM programs to avoid detection.

Peer-to-peer (P2P) filesharing
Unregulated use of peer-to-peer (P2P) software can also lead to theft of confidential information. P2P allows users to join file sharing networks where files are downloaded from the user’s computer, rather than a central server.

While many employers are aware P2P can be used to download music and other unwanted material onto a corporate network, few know company data can also be made available to other file sharers on the network. This is most likely to occur when users unwittingly include confidential company files in the list of materials they have agreed to share.

Malware and spyware
Often unwittingly downloaded, malware (malicious software) and spyware spy on users, whether by tracking online activity or recording every key stroke. One of the most paralyzing data losses of recent years was the exposure of over 40 million MasterCard customer credit card records, executed through malicious code. Email is the most common source for malware infection, followed by browsing malicious websites and infected PCs/laptops joining the network

Combating data theft
The basis of any data theft strategy should be a thorough assessment of your organization’s vulnerability points, coupled with an Acceptable Usage Policy (AUP) that covers handling of confidential information. Good AUPs not only clarify expectations and responsibilities of desktops, notebooks and the internet, but they also shield organizations from potential legal liability. Every AUP should include clear policies about the handling of sensitive and highly confidential information. While these steps can minimize the risk, they can’t completely prevent data theft from happening.

An effective approach to reducing the risks of data theft is multi-layered protection that covers all electronic communications, including e-mail, internet traffic, desktop application use, and access to confidential documents. A good solution will prevent malware and spyware from entering the network, stop outbound leaks at the network perimeter and desktop, and improve ability to manage confidential information internally.

CompuData recommends SurfControl’s Enterprise Protection Suite to provide simultaneous protection against data theft and other security threats from the Internet, ensuring both inbound and outbound protection; spam; spyware, phishing and keylogging attacks; IM; P2P; gaming and malicious content; artificial intelligence tools, heuristics, custom data signatures and dictionaries to recognize when your sensitive data is about to be emailed.