How to avoid 5 common storage mishaps

Blindsided! These companies thought they had their stored data locked tight, but they were wrong. Here's how you can avoid a similar fate.

4. Negligent Employees

The spouse of a telecommuting Pfizer employee installed unauthorized file-sharing software on the worker's company laptop, enabling outsiders to gain access to files containing the names, Social Security numbers, addresses and bonus information of about 17,000 current and former Pfizer employees. An investigation revealed that about 15,700 people had their data accessed and copied by people on a peer-to-peer network, and another 1,250 may have had their data exposed. Because the system was being used to access the Internet from outside of Pfizer's network, no other data was compromised.

Costs: Pfizer contracted for a "support and protection" package from a credit-reporting agency, which includes a year's worth of free credit-monitoring service for those affected and a US$25,000 insurance policy covering costs that individuals might incur as a result of the breach.

Blinders: Careless insiders -- not malicious ones -- are the No. 1 threat to data security, according to a recent Ponemon study, in which IT professionals said 88 percent of all breaches involved negligent insiders. "If there were more employee awareness about security, the number of breaches would come way down," Muller says. In Pfizer's case, the employee's spouse had configured the software so that other users of the file-sharing network could access files the spouse had stored on the laptop, but that gave people access to Pfizer files, too.

Combine negligent users and file-sharing software, and you've got a dangerous mix. Although most companies have outlawed P2P file sharing on their corporate networks, according to a 2007 study by Dartmouth College, many employees install it on their remote and home PCs. The study found, for example, that employees at 30 U.S. banks were sharing music and other files on peer-to-peer systems and inadvertently exposing bank account data to potential criminals on the network. Once business data is exposed, it can spread to dozens of computers around the world.

Eye-openers: First off, IT needs to either ban P2P software entirely or set policies for P2P usage and implement tools to enforce those policies. "[Pfizer] should have done a better audit of their systems to stop employees from loading any software," Muller says. "You can take away their admin rights so they can't install anything." Also important is training, he says, so users understand the dangers of P2P, what makes a good password and other standard security practices.

"There's a huge need for education so employees understand we're not trying to make things difficult but that bad things could happen," Semple notes. "It's having them understand, 'I can't do this, and here's why.' "

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about ACTBillionCarnegie Mellon University AustraliaCERT AustraliaDepartment of JusticeDuPont AustraliaFBIFederal Trade CommissionFidelity NationalMastercardMellonNetAppNetAppPfizer AustraliaPLUSSNIAStorage Networking Industry AssociationUS Department of JusticeVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Mary Brandel

Latest Videos

More videos

Blog Posts