Data Leaks: Are IT Department to Blame?

If you’re a business owner, keep a close eye on your IT team on a Tuesday, as recent reports would indicate that the most likely day for a deliberate data breach or sensitive information leak is that day of the week. And someone from the IT department is most likely to be the culprit.

IT staff have been discovered as being the most likely people to deliberately leak sensitive company information, according to a survey carried out on ‘insider threats’ by security firm Orthus in February 2011. Other staff members can also take advantage of any weak areas in company security - according to the research, company customer service teams were not far behind in the data breach deception.

According to the findings of the report, the insider most likely to find themselves giving away important, secret company information is probably going to work in the IT or customer services department, and the data breach will originate from a laptop or mobile device rather than a fixed, desktop computer. Some staff members can be pretty brazen when it comes to doing the dirty on their employer – most will quite blatantly copy sensitive data onto a removable hard drive and then just walk out of the door with it – or send a copy of it to themselves via a webmail account.

Where did the Data Breach Information Come From?

The research was carried out by Orthus, a company that supplies security solutions for business. The company deals with large corporations and small businesses and specialises in finding solutions to their data security issues, as well as other business services. Orthus also carries out business audits, and this is what it used to base the information for the survey on. The company looked at information taken from data leakage audits it had carried out on its own customer sites since 2006, and covers around 500,000 hours of user activity within an unspecified number of organisations – mostly in the UK – with 1000 or more employees.

The survey used a comprehensive definition of ‘sensitive information’ – basically, staff members who took part in the survey were asked to designate specific folders where they were likely to store sensitive information, and the documents within each folder were then scanned for specific keywords and/or phrases.

The type of information found in the folders was categorised into different areas:

• personal (including customer data)
• finance
• legal information and contracts
• sales, pricing and competitive analysis
• procurement and cost pricing
• human resources (including personnel information, CVs, staff photographs,)
• board meeting minutes and notes
• miscellaneous client-specific information.

The Figures for Data Breaches

In 30 per cent of cases, the source of any suspicious activity was traced back to the IT department in while staff in the customer services department were responsible for 22 per cent. Other culprits were the sales team who notched up 12 per cent and the operations department with 10 per cent.

HR teams, along with legal departments and finance departments were at the bottom of the list – Orthus believe this is probably down to their professional awareness about confidential and sensitive information.

Mobile devices were responsible for most of the incidents of corporate data leakage - a mobile device was involved in 68 per cent of examples.Other media used were web mail, removable media and in some cases even company email, and for some reason, security incidents tended to peak between 9am and 5pm on a Tuesday.

The conclusion was that managers should be vigilant with security measures around IT and Customer services staff, making sure they are most aware of the consequences of deliberate or accidental data breaches.