Mark Pribish

Most security breaches involve human error

By Mark Pribish
Vice President and ID Theft Practice Leader

Whenever I speak publicly, I always talk about how information technology and hacking are the "sizzle" that helps create the headline news for data-breach events.

However, this week's news that 31 world leaders, including President Obama - who had their personal information breached, including name, date of birth and passport number - should remind employers and employees that human error is a significant factor in data breach events.

In this case, an Australia immigration service employee mistakenly e-mailed the sensitive information of the above-mentioned world leaders days before November's G-20 summit in Brisbane, Australia.

However, the Australian immigration department did not report the breach to the world leaders even though it was a clear violation of the privacy laws of three of the affected countries, including the U.K., France and Germany, all of which require mandatory notification for data breach victims.

Well it gets worse. In IBM's 2014 Cyber Security Intelligence Index, "95 percent of all security incidents involve human error."

According to the IBM's report, "many of these are successful security attacks from external attackers who prey on human weakness in order to lure insiders within organizations to unwittingly provide them with access to sensitive information."

In January, Vormetirc, a data security firm, released its 2015 Insider Threat Report and found that 93 percent of U.S.-based organizations surveyed believed that they were vulnerable to insider threats.

The Vormetric survey received responses from more than 800 organizations worldwide. I read with great interest the following four highlights:

  • 59 percent of U.S. respondents believed privileged users posed a threat to their organization.
  • 46 percent named contractors and service providers as a risk to their organization.
  • 43 percent said that business partners were a threat.
  • 59 percent agree that most information technology security threats from insiders are the result of innocent mistakes.

I believe businesses, especially small- to medium-size businesses, need to understand that current and former employees, vendors and even customers are a potential threat to a future data breach event, whether it is an accidental release of information or an act of malicious intent.

For the purpose of transparency, half of my company is in the ID theft and data breach risk management business and the other half is in the background screening and behavioral testing business. My colleague Jim Collins, a longtime background screening expert, said that "as per industry best practices, businesses should not underestimate the insider threat."

Collins said, "While most organizations require background checks at the time of employment, very few employers conduct regular screening of their employees, such as annual background checks."

This means that longtime employees who have access to the most sensitive personal, company and proprietary information could be a threat based on "unknown changes in that employee's personal and professional life," Collins said.

The Vormetric threat report said that "almost half of the U.S. organizations polled experienced a data breach or failed a compliance audit in the past year - which tells us the situation has probably gotten more complicated."

It doesn't take the president or world leaders to recognize that employees - or even you - can make a mistake in data management and protection. Focus on increased employee education on information security.


To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters at the Merchants Identity Theft Educational Website at www.idtheftedu.com.


Scam Alert -- Job Hunters Beware. Don't Fall for This Scam

Looking for a job as a nanny, babysitter or caregiver? Be careful when responding to job postings or emails. A new scam is preying on job seekers.

How the Scam Works:

You spot a help-wanted ad online or receive an email from a "recruiter." A couple is moving to the area and looking for a nanny for their children or a caregiver for an elderly relative. The family currently lives in another state, but they want to hire someone before they move.

The job sounds like a great opportunity, so you respond to the ad by sending an email with your resume. You get the job -- without an interview -- and will start in a few weeks! However, your new boss just needs you to run an errand before the family arrives. In one common scenario, you need to accept the delivery of a medical device. Your employer sends you a check to deposit and asks you to keep some money as payment for your services and then transfer the rest to a third party - supposedly to pay for the goods.

Don't do it! The check and the third party are both fakes. It can take weeks for your bank to determine a check is phony, and if you withdraw the money before that time, you're on the hook to pay back the bank. If you've already transferred the money to the third party, it's gone.

How to Spot a Job Scam:

  • Don't fall for an overpayment scam. No legitimate job would ever overpay an employee and ask him/her to wire the money elsewhere. This is a common trick used by scammers.
  • Some positions are more likely to be scams. Always be wary of work from home, secret shopper positions or any job with a generic title, such as caregiver or customer service representative. These positions often don't require special training or licensing, so they appeal to a wide range of applicants. Scammers know this and use these otherwise legitimate titles in their fake ads.
  • If a job looks suspicious, search for it online. If the result comes up in other cities with the exact same job post, it is likely a scam. Also, check the real company's job page to make sure the position is posted there.
  • Watch out for on-the-spot job offers. You may be an excellent candidate for the job, but beware of offers made without an interview. A real company will want to talk to a candidate before hiring him or her.
  • Look for typos and bad grammar. If the offer is coming from a well known brand, their email shouldn't be riddled with bad writing.

For More Information

To learn more, check out the alert from the Federal Trade Commission. To find out more about other scams, check out BBB Scam Stopper (bbb.org/scam).

Courtesy of the Better Business Bureau - for more information visit http://www.bbb.org/phoenix/news-events/

If you believe your identity has been stolen, call 866.SMART68 today.