The Ponemon Institute surveyed 709 U.S. IT and IT security experts who have some level of responsibility for data protection in their organization. In January of 2012, they released the results of their research: The Human Factor in Data Protection, which focused on how employees and other insiders can put sensitive and confidential information at risk (and what organizations are doing to reduce this risk).
According to 78 percent of respondents, their organizations have experienced a data breach as a result of negligent or malicious employees or other insiders. Employees losing laptops or other mobile devices, mishandling of data and malicious employees or other insiders are the root causes of many of these data breaches in organizations.
Key findings of the study found that employees routinely engage in the following 10 risky practices:
- Connecting computers to the Internet through an insecure wireless network.
- Not deleting information on their computer when no longer necessary.
- Sharing passwords with others.
- Reusing the same password and username on different websites.
- Using generic USB drives not encrypted or safeguarded by other means.
- Leaving computers unattended when outside the workplace.
- Losing a USB drive possibly containing confidential data and not immediately notifying their organization.
- Working on a laptop when traveling and not using a privacy screen.
- Carrying unnecessary sensitive information on a laptop when traveling.
- Using personally owned mobile devices that connect to their organization’s network.
The increasing prevalence of a mobile workforce with an abundance of mobile data-bearing devices, in addition to an increased use of social media in the workplace, are likely factors increasing the threat to data security posed by company employees. Employees who make unintentional mistakes rarely report the incidents that could compromise business security and because of this, many breaches are only discovered accidentally.
To manage the human risk factor, organizations are turning to such enabling technologies as access governance, endpoint security management and security intelligence among others. Applying technology is important in data protection — but equally critical is for organizations to reduce the risk of employee negligence or malice through implementing: policies, training, monitoring and enforcement. Protecting your company online begins with ensuring your employees are prepared to assist in keeping your computers and networks safe and monitoring their compliance.
Any merchant who accepts credit and debit card payments should always follow Payment Card Industry (PCI) guidelines for security controls and run network scans by an Approved Scanning Vendor (ASV) quarterly to guard against breaches.
The PCI Data Security Standards (PCI DSS) apply to any merchant or service provider who stores, processes or transmits customer account data. If a breach occurs and the merchant or provider is not PCI compliant, they face expensive fines and fees, a costly and possibly lengthy audit, as well as additional restrictions. All these factors can result in a severe blow to their professional reputation that could result in the loss of customers and, ultimately, their business.
TransFirst® recommends all merchants become familiar with Compliance 101 which offers small and mid-sized businesses numerous affordable tools and professional support to become PCI compliant and maintain that status. Not only must you protect your company, you must also protect your customers. Maintaining PCI compliance will help you to earn your customers’ trust that you are committed to protecting the personal information they share with you and also mitigate the largest risks to your business.