'One fraud event a week': Survey finds internal data breaches all too pervasive

Sneaky, sneaky: Organizations suffer 55 employee-related incidents of fraud each year — mainly through employees getting hold of privileged users' credentials.

On average, organizations experience approximately one fraud event per week, mainly from the inside, a new study has estimated. However, only 44 percent of respondents said their organization views insider fraud prevention as a top security priority, a perception that has declined since 2011.

Keyboard Photo by Joe McKendrick
Image: Joe McKendrick

The data security study (PDF), conducted by Ponemon Institute and underwritten by Attachmate Corporation, includes input from 743 IT and business executives. Fifty-two security breaches a year can be very costly, given that the average cost of a data breach in a 2011 study was $194 per lost or stolen record.

Part of the reason why security breaches are so costly is that it takes an average of 87 days to first recognize that insider fraud has occurred, and more than three months (105 days) to get at the root cause of the fraud, the study found.

On average, organizations have had approximately 55 employee-related incidents of fraud in the past 12 months. This is about the same as in last year's survey (53 incidents each year).

One of the biggest problems to occur, as indicated by 79 percent of respondents, is co-workers' credentials being used to gain elevated rights or bypass separation-of-duty controls. Another 79 percent said they have had instances in which a privileged user altered application controls to access or change sensitive information — and then reset the controls (sneaky). Worse yet, 74 percent said an employee's malfeasance has caused "financial loss and possibly brand damage".

In addition, no matter how much you love your DBA or appdev manager, it's important to have a policy of "trust, but verify" — with checks and balances on all data access, back door or front end. Many lessons have already been learned; 79 percent of respondents said that in their organization, a privileged user has or is very likely to alter application controls to access or change sensitive information and then reset the controls.

BYOD is also a complicating factor. Almost half (48 percent) of respondents said that BYOD has resulted in a significant increase in fraud risk, and 77 percent of respondents said the lack of security protocols over edge devices presents a significant security challenge and risk. More than one third said that employees' use of their own devices has resulted in malware and virus infections that infiltrated their corporate networks and enterprise systems.