And many of them aren't from disgruntled employees, but from good people who may experience a lapse in judgement ("Hey mom, can I use your laptop for something? My computer's too slow") Today, Pharmalot reported that the personal data of 17,000 Pfizer employees (including social security numbers) was exposed, since an employee's spouse had installed file sharing software on the laptop. This was clearly an accident, but Ed Silverman reports that the folks on Cafe Pharma are steamed and demanding vengeance. An excerpt:"The information was stored on a Pfizer laptop computer that was provided to a Pfizer colleague for use in her home. Due to the the unauthorized installation of certain file sharing software on the laptop, files stored in the laptop containing names, social security numbers, and in some instances, addresses and bonus information of approximately 17,000 present and former Pfizer colleagues, were exposed to one or more third parties." Some of these files were copied. Pfizer is reportedly offering employees free credit monitoring for one year. Peter Rost gleefully reported this as a Pfizer slipup, but this can happen at any company which does not circulate requirements and a clear, and firm, technology policy to all its employees. And it does happen at many companies each year, at a cost of over $3 million... More on corporate database and IT security issues and musts from the Ponemon Institute's 2006 survey. IT security professionals believe poor leadership at the executive level, coupled with a lack of accountability is a major contributor to the breakdown in corporate data integrity. The study, "National Survey on Managing the Insider Threats" was drawn from the responses of more than 450 U.S.-based IT security professionals, and points to resource and leadership failures as a primary cause of employee complacency, negligence and malicious behavior resulting in both intentional and inadvertent compromise of business and personal information. The study, sponsored by ArcSight, examined experienced IT security professionals' opinions related to the causes, responses and solutions to the insider threat to data integrity. For the purposes of the study, "insider threat" was defined as the misuse or destruction of sensitive or confidential information, as well as IT infrastructure that houses this data, by employees, contractors and others with access to sensitive or confidential information. The National Survey on Managing the Insider Threats:
- More than 78% of respondents reported one or more unreported insider-related security breaches within their company.
- 93% of respondents attributed lack of resources and 81% of respondents cited lack of accountability as two primary contributing factors to poor data security.
- Respondents ranked the top three threats to data integrity as: Missed or failed security patches on critical applications Accidental or malicious insider misuse of sensitive or confidential data Virus, malware, and spyware infections