Awareness Technologies Advisory: Preventing Exposure from the Biggest Insider Threats of 2010

LOS ANGELES, Dec. 9, 2010 /PRNewswire/ -- With insider breach incidents now costing businesses an average of $3.4 million per business per year (source: Ponemon Group), Awareness Technologies Inc. ("ATI"), the only provider of Complete Insider Threat Security On-Demand, today released its analysis of the sources of the biggest insider data breaches for businesses in 2010.

"In examining the top data breach incidents this year, three clear and escalating threats are emerging, albeit preventable," said Ron Penna, Chief Strategy Officer at Awareness Technologies. "While corporate laptops and computers and the growing use of USB flash memory sticks remain the top reported data breach methods, it's employee use of webmail services such as Gmail, Hotmail and Yahoo! Mail that is emerging as the biggest underreported way in which confidential information gets into outside hands."

Penna added that businesses will need to re-evaluate their employee security practices in the year ahead to address the increasing threat posed by careless insiders.  These insiders fall into three categories: untrained employees, employees that are duped or fall prey to social engineering type attacks and malicious employees.

Based on its experience serving more than 10,000 corporate customers and identifying data breaches first hand, Awareness Technologies believes these most common breach sources are easily contained and often preventable.  

Addressable Data Breach #1 – Stolen Laptops

Massive data breach incidents have occurred this year resulting from theft of laptops including at AvMed Health Plans, in which personal information on 1.2 million customers was compromised.  Companies using proactive laptop theft recovery services which not only geolocate the device and monitor the thief's activities, but can also remotely retrieve and delete files, are positioned to move quickly to contain damage when theft is discovered.  Data at rest scans can be deployed to eliminate the data in the first place and there are software agents that give control over the laptop even when off the network.

Addressable Data Breach #2 – Use of USB memory drives

USB flash drive usage has exploded, with a recent Ponemon Institute report indicating that 51 percent of enterprise users store confidential information on USB flash drives. WikiLeaks recently exposed that an employee had inserted a USB thumb drive into a secure Pentagon computer, which contained a malicious virus that spread quickly and damaged thousands of files.  For more preventive-minded companies, network access control software can be deployed to block complete access to USBs, but this blocking approach may not be practical for most businesses.  In general, companies are wise to adopt the right DLP (data loss prevention) solutions, to monitor or limit what can be moved to a USB drive or, if desired, it can render the drive completely useless.  And there are cost-effective solutions in the marketplace that are affordable for companies of all sizes.

Addressable Data Breach #3 – Use of personal webmail services

While some companies do ban personal emails in the workplace, taking a proactive approach that makes decisions based on the content of the communications instead of simple block/allow lists is infinitely more effective for preventing data breaches.  Ideally, a DLP solution should enforce policies that prevent certain type of information from leaving via webmail services.  The better DLP options for businesses rely not on which channel is being used but rather instead take a data-centric approach to identifying breaches.  Companies should also consider limiting user privileges such as limiting depth of access to certain applications appropriate to the role of the user in the company.  For example, a company could allow a junior account executive to have webmail access, but not be able to use it to send confidential data or be allowed to use potentially problematic programs such as peer-to-peer or encryption software.

"Whether malicious or accidental, data breaches are devastating to a company's bottom line and its customer relationships and the right policies, training and technology can dramatically reduce an organization's risk to careless insiders," added Ron Penna.

About Awareness Technologies

As the pioneer in Unified Insider Threat Prevention, Awareness Technologies SaaS-based service is easily available and affordable for businesses of any size. Architected at the endpoint, clients can access 4 technologies including DLP, web filtering, employee monitoring and laptop recovery, through one agent download and one control console.  Awareness Technologies has over 10,000 businesses world-wide currently depending on its solutions to protect their data from insider threats, and has been named on Deloitte's 2010 Technology Fast 500, the MSPmentor 250, and the CRN's 2009 Emerging Vendors list. www.awarenesstechnologies.com.

SOURCE Awareness Technologies Inc.