You do complete background checks and go through references as part of your hiring processes. You continually and painstakingly train employees on security and data breach topics to make sure they are educated and will know what to do and not to do during the course of daily business.
You even conduct daily auditing of system activity and ensure that you are consistent with discipline at your workplace. On top of it all, you’ve even gotten cyber insurance. You’ve made reasonable efforts to protect your sensitive business files as well as data and your business. And, you trust your staff, so you naturally feel pretty confident that you are covered on all sides.
This false sense of security results in many of the data breaches we all hear and read about daily. The concept of “inside” and “outside” in an enterprise network is dated. Businesses increasingly work with consultants, employees doing work remotely or in a mobile fashion and the old network perimeter security isn’t able to deal with increasingly porous borders. While you focus on external threats, right under your nose, there is even a more significant security gap as shown by some of the important breaches below:
- This week the FBI arrested a National Security Agency contractor on charges of stealing highly classified information. – The authorities cannot say with certainty whether the contractor leaked the information, passed it on to a third party or whether he simply downloaded it.
- Last month, Sage, a supplier of accounting and payroll software, was the target of a data breach as a result of a company employee. – It’s unclear what information, if any, may have been leaked.
- Earlier this year, two scientists were charged with stealing valuable intellectual property from their employer, pharmaceutical giant GlaxoSmithKline. – They were using their stolen information as a basis for a new company they started in China.
- Last summer, Providence Health & Services notified 5,400 Oregon patients of a PHI data breach. – A former employee accessed patient health records “without any apparent business need”. The worker accessed medical records for about 4 years and Providence stated they do not believe the information was further viewed or disclosed.
The examples above are a small sample of the damage done by trusted insiders who have betrayed the trust given to them. After most data breaches, we hear statements to minimize the impact of these breaches. All is fine! We do not believe information was further disclosed or used! We are offering one year of identity protection!
But the real impact is huge, to both businesses and people whose information is compromised. Businesses suffer financial and reputation losses. People are exposed for a lifetime. What happens to all this breached data? Once it is out there, it is out and the life-span of the stolen unprotected information is forever since most environments have no means to really tell if this data is further copied and distributed. Companies haven’t implemented a mechanism to disable use to this sensitive data so it does not float out there forever.
There are elegant ways to protect sensitive data using technologies that exist today, whether the threats are from external or internal sources. This can be achieved by supplementing existing technologies already deployed in most organizations with an additional security layer that protects data at the time of creation. And the technology is called persistent data-centric security.