The 5,573 adults polled gave us a resounding answer about whether data breaches are impacting their loyalty: 20-25% of respondents would stop doing business with a company following a data breach. We also asked consumers about the shift to electronic health records, and we saw even more evidence of consumer fears about identity theft and loss of privacy. The key takeaway for me is that consumers are paying attention to how merchants manage sensitive data, and companies that do not act as trusted custodians will see a measurable impact to customer loyalty.

If you’re interested in our latest survey results, please see today’s press release for full details. And we’ve put together a graphical representation of the survey’s findings to better communicate all the numbers – check it out (click the graphic for a larger view):

Working with Harris Interactive, we polled 3,484 employees across the United States, Great Britain and Australia. A significant number of respondents openly admitted they would abuse proprietary and sensitive information. I want to share some of the survey’s results with you, as well as the primary takeaway from each.

First, 22% of US, 29% of Australian and 48% of British employees openly admitted they would misuse data they have been granted access to (either intentionally or mistakenly). This includes:

• 9% of US, 8% of Australian and 24% of British employees would take the data themselves when leaving a job; and
• 10% of US, 12% of Australians and 27% of British employees would forward to someone else, like a former colleague.

I wrote last year about the “moral gray area” around theft of company data. Many employees may believe they own – or at least share ownership – of corporate data they have been working on. Clearly, the survey highlights the need for companies to have corporate policies in place to educate employees about what is and is not allowed, and to have IT controls in place to enforce them. A company may be comfortable with employees taking samples of their portfolio of work with them, but taking customer data or product designs is clearly not allowable.

The most shocking survey finding was that 24% of Britons openly admitted they would sell proprietary data online if they could, compared to 5% of Americans and 4% of Australian. This willingness to profit from access to proprietary data is quite alarming. We got an interesting take on this finding from journalist Jared Wade of Risk Management: “I’m not sure whether U.K. employees are more devious or just more honest, but even the lower totals in the United States and Australia show the enormity of the risk. That’s just a ton of people who have no qualms about leaking — if not outright thieving — data.”

Bottom line: we as organizations need to be vigilant about managing the risk of insider sabotage or fraud. It’s critical to educate employees on corporate data policies and to institute preventive and detective controls to help safeguard data. As the survey shows, the insider threat remains very real, but that risk can be mitigated with identity governance solutions like SailPoint IdentityIQ. Identity governance provides a centralized view into an organization’s identity data and helps to limit and control employee access to sensitive data and applications. (To learn more about how IdentityIQ can safeguard against insider threats, I recommend you read this identity governance overview or take a minute to watch our latest video.)

After reading through the Market Pulse Survey results, how do you think your employees would respond?

The details of the FTC announcement were interesting on two fronts. First and foremost, there was an absolute lack of strong security measures at both companies, making it child’s play for intruders to gain access to sensitive customer data. Lookout was charged with failure to implement strong password policies, storing passwords in clear text, and failure to provide access control to confidential web pages. Ceridian was charged with storing sensitive personal information in clear text on the company’s network and failure to take reasonable measures to detect and prevent unauthorized access to sensitive data.

The second interesting aspect of this news is that it demonstrates how the FTC is proactively taking action to protect consumers against data breaches. Both companies were charged with “unfair and deceptive trade practices” they advertised security safeguards that they failed to provide. The message is clear: if you suffer a data breach that impacts consumers and have advertised the how great your security is, you’re a target for a federal watchdog!

I like how the FTC is requiring the companies to implement and prove strong controls over access to sensitive data as part of the settlements. By mandating comprehensive data security plans and independent security audits, the FTC has sent a clear signal that companies managing consumer information will be held accountable to high standards of data protection. Notably, by prescribing explicit security plans and audits, the terms of the FTC settlements go well beyond the scope of many security and privacy laws in effect today.

The article recaps a study by the Identity Theft Resource Center (ITRC) of 662 data breaches in 2010, which accounted for 16 million exposed records. (The number may sound low, but keep in mind that only 51% of the reported breaches included the number of exposed records, and not all breaches are reported.) According to the article, the ITRC study found that of the reported breaches:

• Nearly two-thirds of breaches exposed people’s social security numbers.
• The leading malicious causes of data breaches were hacking attacks (17.1%) and insider theft (15.4%).
• 26% of breaches involved credit or debit card data.

The article is an important reminder that the insider threat is still very real and represents a significant risk to the business. As you look at how your organization is managing this type of risk, don’t fail to look beyond your employees to any individuals in your organizations that have authorized access to proprietary data, critical files, and applications.

A very interesting article from CERT profiles the insider threat posed by “trusted business partners” – a category that includes contractors, temporary workers, business partners – any individual that performs services for you, but is not an employee. These types of users easily fall between the cracks in fast-paced organizations and can be largely unsupervised – escalating the risk of insider threat tremendously.

As we enter the New Year, I encourage you to take a fresh look at how you’re managing the insider threat. Identifying your high-risk users (both employees and non-employees) should be a top priority. There’s no time like the present to make sure your organization has the proper IT controls in place to minimize that risk by eliminating orphan accounts, conducting regular reviews of shared and privileged accounts, detecting and remediating SoD policy violations, and reviewing the access privileges the access privileges on a regular basis.

The right identity governance tools can significantly strengthen your controls over non-employee access privileges by tagging contractors, temps, consultants and enabling on-demand reporting and analysis on them. You can also assign owners to these types of users (who often don’t have a manager) and ensure those owners regularly review and approve the users’ access privileges.

Lastly, because non-employees often transition from project to project, it’s a great idea to use temporary role assignments (with expiration dates) to ensure that trusted business partners do not retain access privileges long after a project is completed.

With these baseline measures in place, you’ll be in a great position to meet the challenges ahead in 2011 – whether those are new regulations, new business challenges, or new threat profiles.

• Half of the respondents said they would take company data with them when leaving a job. A full 27% admitted they would take customer contact information, 23% would take electronic files, and 16% admitted they would take product designs and plans.
• Interestingly, only 16% said they would take office supplies with them.
• 49% of those surveyed said they would look at information if they were mistakenly given access to a file containing confidential data, such as salary information. 6% said they would also tell someone else about the file’s contents.
• Only 13% of workers think the current recession has made their coworkers more likely to steal data from a company.

For me, the biggest takeaway from the survey’s results is that many employees don’t consider taking electronic data with them when they leave to be “stealing.” I’d guess that many believe they own the customer data or product plans if they worked on them. There is clearly a bit of moral ambiguity about ownership of company data that companies need to address here.

So what is the right way to address this issue? Unfortunately, there’s no silver bullet solution – companies need a layered approach that includes awareness/education, and preventive and detective controls. First and foremost, companies need to be explicit about their policies in this area and clearly define what is considered “illegal” usage of proprietary data.

At the same time, companies need to proactively monitor and manage workers’ access privileges, with the goal of limiting access to only what is required to perform a given job. Identity governance solutions, like SailPoint’s IdentityIQ, play a major role in helping companies ensure that workers’ access privileges are appropriate and conform to policy. IdentityIQ also makes sure that access privileges are promptly de-provisioned when an employee changes roles or leaves the company, and also provides detective controls by automating periodic access reviews and monitoring worker activities on high-risk applications.

What makes this area such a challenge is finding the right balance between limiting security risk and opening up access to sensitive applications and data. Fortunately, identity governance is helping companies successfully mitigate the risks highlighted by the survey. Regardless of where you are with your IAM strategy, given the survey results, I think every company should take a second (or third) look at the policies and controls they have in place. And SailPoint has several resources available to help you, such as our on-demand webinars (including ones on “Five Identity Risks You Need to Know About” and “Managing What Matters: Taking a Risk-based Approach to Identity Governance”) and the 2^nd edition of our Identity Governance Buyer’s Guide.

The IT director of a nonprofit organ donor center for more than 200 hospitals in Texas was fired in November 2005. At the time of her termination, the employee was informed in writing that all her access rights had been revoked. The company also took steps to lock all administrator accounts to which she was known to have access. Despite such steps, the terminated employee still managed to access the company’s network from her home via a VPN account that she set up previously without anyone’s knowledge.

Once inside the network, she used an administrator account belonging to another employee to log into several servers, including the company’s organ donor database server and main accounting server. Over the next several hours, she then deleted donor records, accounting invoice files, database and software applications, backup files and the software tokens needed to run some applications. In a bid to cover her tracks, the ex-employee manually deleted all logs of her VPN sessions. She also disabled the activity logging functions on the database and accounting servers – making it impossible to identity the individual files and applications she deleted.

What makes this case really interesting is that the sabotage occurred even though the company took reasonable steps to handle the terminated employee. The company immediately revoked the employee’s access privileges after terminating her and disabled all administrator accounts to which she had had previous access. So what more could a company do to prevent incidents like this? Here are some ideas:

• Formalize your approach to identity governance by building an authoritative repository of all users and their access privileges – mined from all critical systems. Without centralized visibility, there will always be blind spots, as the situation above illustrates. Statistics show that the average employee has 35% more privileges than they need – so mine the data to find out.
• Once you’ve centralized your data, you can automatically scan it to detect anomalies and policy violations. For example, accounts that don’t map to an active employee in the HR system can be flagged as “orphans” and duplicate accounts (employee with more than one account on any system) can be flagged for immediate remediation.
• Put in place consistent, repeatable processes for business-level oversight of access privileges. For instance, you can require that any change in employment status (termination, transfer, promotion, etc.) automatically triggers a review of all of that employee’s access privileges by his or her supervisor. In the case above, this would have resulted in a comprehensive report of all access privileges held by the fired IT director, with the ability to revoke these privileges at the click of a mouse.
• Consider using privileged user management (PUM) tools like Cyber-Ark to deal with “shared” and administrative accounts. These accounts are particularly troublesome because they are anonymous (e.g., UNIX “root”) and don’t map to a specific employee. With PUM tools in place, organizations can tightly control access to privileged accounts and track, monitor, and log every activity performed by employees using privileged user credentials.

Additionally, consider integrating PUM tools with identity governance solutions to ensure complete visibility and control over all user access privileges. For example, privileged accounts under management by Cyber-Ark can be imported into SailPoint IdentityIQ, displayed in access reviews, and can be used to escalate an employee’s risk score based on his or her access to privileged accounts.

How do you manage the access rights of privileged users?

But, do these approaches work? Even with the alphabet soup of regulations around the globe, we still see “compliant” companies reporting major breaches. Why? I believe many companies lost sight of the original intent of the regulation (risk management, security, data protection) because they were so focused on following the letter of the law to pass the IT audits. As a result, it’s pretty common to see companies investing significant resources into achieving literal compliance, but sometimes, in their zeal to be “compliant,” these firms push security (and common sense) to the side. The goal of proving compliance becomes the main focus of many companies, at the expense of holistically assessing, preventing, and mitigating risks.

The flip side of the debate about regulation is to let the free markets drive good corporate governance. The theory is that companies who “allow” security breaches will lose brand value and customers, and therefore will approach security and privacy protections as good business strategy. However, as a number of analysts and industry watchers have pointed out, breach disclosures don’t always affect revenue or stock prices. The TJX data breach was one of the biggest, costliest and most publicized breaches ever – yet customer and investor confidence in TJX remained largely unshaken in the aftermath. TJX’s stock was worth about $30 per share when the breach was disclosed, and its closing price a year later was just over $29. And during the one year following the breach, TJX reported that comparable-store sales increased 4%.

We probably all agree that strong corporate governance is necessary – and in fact, I’d suggest it’s a strategic differentiator for many companies. But as I talk to companies approaching the same problem from different perspectives, I still wonder: Should we let free market forces determine what corporations do, or should we mandate the “right” behavior to protect consumers and stakeholders?

What do you think?

I’m always interested in what themes get the most play at RSA. This year, I’d have to say that “the cloud” wins the contest hands-down. Cloud computing was ubiquitous – a centerpiece of most keynote addresses, a feature on booth signage throughout the show floor, and not surprisingly, the butt of quite a few jokes (example: let’s do a tequila shot every time we hear the word “cloud”).

In the show’s opening keynote, RSA’s CEO Art Coviello declared cloud computing “the most over-hyped but underestimated phenomenon in history” (borrowing a phrase from Nicholas Negroponte). Coviello went on to say that cloud computing presents us all with the rare opportunity for a “do over” – to be present at the rollout of a new wave of computing with security built-in from the get go. I have to admit I raised my eyebrows at this turn of phrase. I predict that the evolution toward cloud computing will be moderated and incremental – and not a “do over” by anyone’s definition.

Another interesting observation about this year’s show is the continued (and perhaps even bigger) blend of public and private sector speakers. Past years’ shows have featured Michael Chertoff, Melissa Hathaway, and Al Gore. This year’s speakers included Secretary of Homeland Security Janet Napolitano, Howard Schmidt, the U.S. cybersecurity coordinator appointed by President Obama in December, and Robert Mueller, director of the FBI. On Tuesday, Schmidt presented a keynote address and hosted a heavily-attended town hall meeting. In both of these venues, he conveyed a very measured and pragmatic approach to addressing the cybersecurity responsibilities of the federal government. He said more than once “there is no silver bullet.”

During an entertaining Q&A session with the audience, Schmidt revealed the following about his agenda:

• He’s not a proponent of more regulation to drive better security practices. The one exception he mentioned was the area of data breaches (where there is pending legislation).
• He assured the audience that any measures taken by the Fed will respect privacy and civil liberties issues.
• He admitted that the Federal Information Security Management Act (FISMA) is archaic and needs to be changed. He mentioned that some changes are being rolled out this year.
• He believes that we, as a society, are making real progress with cybersecurity. He pointed out that there are fewer devastating attacks and service disruptions than in previous years.

Unfortunately, Schmidt’s position is made all the more challenging by the bureaucracy and interest groups he will have to navigate in Washington – it’s not just a matter of fixing problems and fighting the bad guys. On a positive note, the amount of focus being put on the issue of cybersecurity at the federal level can only be a good thing.

Additional key findings from the survey include:

• More than 50% of those surveyed confirm that IT is responsible for ensuring the security and managing the risk around sensitive applications and data.

• 42% reported shared responsibility and accountability with business managers for the access certification process.

• 61% of the respondents report that they use manual or homegrown processes to manage a company’s access privileges.

• Only 14% of companies believe they have adequate controls in place to address the risk of insider threats in 2010 (which is a similar statistic from our May 2009 Market Pulse Survey).

The complete Market Pulse Survey results, as well as an in-depth analysis of what they mean, is available here.

In the midst of this publicity storm of insecurity, the U.S. government has stepped up its focus on information security and privacy. Currently, two bills – the Data Breach Notification Act and the Personal Data Privacy and Security Act of 2009 – are making their way through Congress. The Senate Judiciary Committee passed the two bills in early November, which are now headed for a full Senate vote. The first bill is designed to protect consumers from having their personal information lost, stolen or exposed (similar to California’s landmark CA 1386 law). The latter bill establishes guidelines for protecting sensitive information and creates the Office of Federal Identity Protection inside the Federal Trade Commission.

It will be interesting to see whether one or both of the U.S. laws pass. Over the past 5 years, similar legislation has been proposed but failed to pass in the U.S. Congress. Proponents see great benefit in unifying various state breach notification laws into a single national law. Opponents fear the law imposes requirements that are too onerous for businesses to bear, in addition to creating more federal bureaucracy to oversee the mandate.

Given the number and frequency of data breaches, I believe that 2010 could be the year we’ll see a national privacy and security law in the U.S. There are clear benefits to simplifying and standardizing laws around data breach notification. The proposed bill will establish a single national standard to replace the patchwork quilt of state data breach laws (and will provide regulations for the few states that have no such legislation). And it will also establish some pretty stiff enforcements and penalties, which will satisfy those looking for real “teeth” in the law.

I have the least confidence about Congress’ ability to pass the Personal Data Privacy and Security Act. This law is more prescriptive than the Data Breach Notification Act. It would require all companies handling sensitive data to implement specific risk assessment and vulnerability testing measures (including controlling access to sensitive data, detecting and logging unauthorized accesses to the data, and protecting data while in transit and at rest). It also establishes a new office of the FTC to act as a watchdog.

Because the Data Privacy and Security Act federally mandates security controls, it’s bound to be a lightning rod for debate. No one disagrees that companies need to put in place the necessary controls to prevent security breaches, but there is volatile disagreement over the role of the federal government in forcing companies to comply with specific security practices. Many will invoke Sarbanes-Oxley as an example of the ills of overly aggressive federal regulation of private industry. Proponents will point to the fact that businesses are not doing a very good job at guaranteeing security and privacy left to their own devices.

What do you think? Should laws mandate how companies address and prevent security breaches, or should companies be allowed to address these on their own?