As 2010 draws to a close, it’s a good time to reflect on the mistakes of the past year and learn from them. Here are five notable breach stories from 2010 — and the lessons they teach:
1. Insider threats you wouldn’t expect
Businesses know to run background checks on new hires, especially IT staffers who’ll have access to sensitive information. But it’s not just new staffers businesses need to be aware of — even relatively long-term employees can be misusing their access to commit crimes.
That’s what the IT department at the University of California San Francisco Medical Center learned after Cam Giang, an employee for five years, was caught stealing co-workers’ and students’ information from a medical database.
IT managers should only give staffers the level of access they need to do their jobs, and monitor access to sensitive parts of the network.
2. Misbehaving ex-execs
Even high-level employees aren’t always on the level. Take Darnell Albert-El, former IT director for Virginia-based telecom equipment supplier Trans Marx.
Albert-El was fired from his post and subsequently logged in to the company’s network from home and deleted more than 1,000 files from Trans Marx’s web server. He was recently sentenced to 27 months in prison and fined $6,700 for the sabotage.
The lesson: Take special care whenever any staffer leaves the company on bad terms. Make sure passwords are changed and access rights are removed immediately.
3. Security goes beyond computers
Though PCs and mobile computing devices are the most common target for data thieves, other devices can also be used to steal information, as New York-based Affinity Health Plan found out earlier this year.
In May, Affinity had to notify more than 400,000 employees, applicants and health plan members that their records may have been compromised after a copier formerly belonging to the organization was found waiting to be resold, with images of sensitive documents still saved to its hard drive.
It’s an often-overlooked element of security, but copiers and any other machines that hold data (which is most devices these days) need to be kept secure and properly scrubbed before being taken off the company’s premises.
4. The right way to respond after a breach
Out of all the problems businesses face after data is stolen, legal issues can be the most costly. If someone’s personal info is stolen and used to commit fraud, the company could be on the hook for damages.
However, responding appropriately can go a long way toward limiting liability after a breach occurs.
Aetna was sued after its online job application site was hacked. Affected employees and job applicants claimed that the breach left them more susceptible to identity theft.
After the breach, Aetna sent letters to anyone who might be affected, warning them to watch their bank statements for signs of fraud and to ignore e-mails asking for personal information, and offered to pay for a year’s worth of credit monitoring.
In part due to Aetna’s actions, no one suffered any actual damages. Therefore, the court ruled the company couldn’t be held liable.
5.Watch for social networking cons
Most people — including IT professionals — could use some lessons in separating friends from foes online.
That’s the lesson from a recent experiment conducted by researcher Thomas Ryan, co-founder of Provide Security. In a presentation at this year’s Black Hat security conference in Las Vegas, Ryan explained how he used a fake online profile to gain the trust of some people who should have known better, including government intelligence officers and other security pros.
Ryan created the profile, using photos of an attractive young woman, and gave her an impressive background, including education at MIT and a prestigious prep school, and work experience at the Naval Network Warfare Command.
From there, Ryan started friending some prominent members of the military and security communities. While some folks did enough research to realize the profile was phony, most were fooled and freely volunteered sensitive information to the fictitious woman.
As most users, including top executives, are now using social networking sites to some degree, it may be time to warn them about how to stay safe.