Home > Security

Computerworld - Everything I'm about to tell you is true. And if you're a corporate executive who's serious about information security, corporate governance and compliance, you will cut this column out and nail it to your CEO's office door.
In the course of researching my latest book, The Insider: A True Story (Llumina Press, 2005), which traces the history of some of the most notorious insider security breaches in history, I came across a company that offers free 48-hour risk assessments based on its new insider-monitoring appliance. And while it's not my job to sell you on this product, I do want to share the insight I gained from a review of more than 50 of the real-world assessments this company conducted at some of the biggest firms and government agencies in the nation.
Companies have invested millions of dollars on security systems like firewalls, intrusion-detection devices, antivirus software and biometrics. But they've done close to nothing to ensure the security of sensitive data as it's handled by those with authorized access to it. Don't believe me? Consider these findings:

• A 48-hour risk assessment conducted in April at a top 20 financial institution intercepted a spreadsheet containing the names of 200 customers and their account numbers, account balances and tax identification numbers as it was being transmitted to a personal EarthLink e-mail account. Employees of this firm also routinely sent customers information in clear text that contained Social Security numbers, names, addresses, dates of birth, driver's license numbers, account numbers and balances. And while the firm has made considerable efforts to develop a strong privacy policy and build a secure e-mail system, only 12% of the data monitored was encrypted -- a specific recommendation of the Gramm-Leach-Bliley Act.


• That same month, technicians conducted a similar risk assessment at one of the biggest IT firms in the country -- a company that has a security budget to die for. In two days of monitoring, the system intercepted proprietary planning documents being e-mailed via Web mail (and yes, the company thought it had locked that down) to a direct competitor. The employee in question, along with 50 of his colleagues, had been hoping to land a new job.


• In the manufacturing sector, one of the biggest brand names in the U.S. was shocked to find what amounted to material weaknesses in its internal controls. Payroll data and hundreds of Social Security numbers were discovered leaving the network unencrypted and going to private e-mail accounts. In addition, 123 engineering and design documents had been sent to unauthorized recipients outside the network, only days before a major new product campaign was to be launched.


• Officials at various hospitals were shocked to learn that privacy-protected data on hundreds of patients was routinely leaving the network and going to unauthorized recipients. One facility recorded 2,000 violations of the Health Insurance Portability and Accountability Act in 48 hours. Another watched in horror as the names and medical information of more than 500 patients with HIV/AIDS were communicated to a private Hotmail account.

These were 48-hour snapshots of what's really happening behind the firewall. These incidents and many more like them are occurring in every sector of the economy because policies are meaningless without an enforcement mechanism. It's one thing to trust. It's quite another to verify.
In addition to The Insider, Dan Verton (www.danverton.com) is the author of Black Ice: The Invisible Threat of Cyber-Terrorism (McGraw-Hill Osborne Media, 2003). He is a former intelligence officer in the U.S. Marine Corps and a former Computerworld senior writer.

Read more about Security in Computerworld's Security Topic Center.