back to article Company insiders behind 1 in 4 data breaches – study

The admins among you will be unsurprised to discover that, more than a quarter of the time, data breaches across the world originated between the chair and the keyboard of organisation "insiders". And no, we don't mean they clicked on a dodgy link... The latest edition of Verizon's Data Breach Investigations Report (DBIR) …

  1. alain williams Silver badge

    Another mitigation strategy

    is to not overwork people. When rushing to get something done quickly it is so easy to make mistakes, not take the time to check, ... The hapless employee is then held up to blame, not the manager who put them under too much pressure.

  2. Anonymous Coward
    Anonymous Coward

    This is why it's so important...

    ... to always respect your users.

    I've come across large environments where there was a seriously bad atmosphere of "us against them", because obviously the users are stupid (in all fairness: they often do behave that way) and therefor us admins are smarter / better / etc. and they need to listen to us. Generating a real "us vs them" scenario which - in my opinion - is a stupid thing to do on all fronts.

    One reason being mentioned in the article. If you work somewhere and tech support mostly works against you than with you, in such ways that you sometimes circumvent the system merely to get your work done (I've seen scenarios like this), then wouldn't that make it all the more appealing if some stranger comes up to you and asks you to perform a simple and 'innocent' task? Maybe installing that small program can actually do speed up your machine up to normal speeds, something you've been asking support about for the past 4 weeks already.

    Sure it sounds stupid and extremely naive. But that doesn't make it less feasible.

    Now, I'm not saying that admins should give users everything they want, it obviously doesn't work that way, but the message can sometimes be presented much better. I mean...

    "I need a faster computer" => "Sorry, we're not going to do that".

    ... can easily result in "Aha, so there ARE faster computers but they simply refuse to give me one. Even though I obviously need it".

    "I need a faster computer" => "Sorry, we're not going to do that because we don't have any available.".

    ... which could set a whole different message. It's not because we don't want to give you a new PC, it's because we can't. Easy.

    I know that this doesn't always apply. But sometimes giving a simple explanation to an end user with a little reasoning behind it can set a much different atmosphere.

    It's not always about you, the admin, but your users as well.

  3. Hans Neeson-Bumpsadese Silver badge


    I wonder how the statistics for data theft compare against theft of other types of things, for example how much of a store's inventory gets stolen by light-fingered warehouse staff versus being shoplifted from the shop floor?

    1. AMBxx Silver badge

      Re: Comparison

      Must admit, if I'd had to guess a percentage, would have been way more than 25% for data breaches

      1. Hans Neeson-Bumpsadese Silver badge

        Re: Comparison

        Must admit, if I'd had to guess a percentage, would have been way more than 25% for data breaches

        The thing is, data can be copied and if you can do that without anyone noticing, it reasonable to expect that theft not to be counted in the percentages.

        If someone hoists a physical box of widgets from the warehouse, there a tangible hole in the inventory that's easy to spot. Bits'n'bytes are all a bit ephemeral...the figures quoted must be more to do with thefts that have been detected (or maybe some speculation like statistically 'x' percent of sysadmins/DBA must be bent).

        1. tfewster

          Re: Comparison

          From the headline, I thought that this would be another report demonising sysadmins/DBAs, but it turns out to be a bit of a damp squi[bd] - Browsing a celebrities medical records is a data breach*, but hardly in the same class as copying the entire database.

          * And more likely to get flagged than a sysadmin/DBAs** misdeeds. Certainly both ends of the scale of breaches are of concern, but misusing statistics to represent them as the same thing is just as criminal.

          ** Everyone has their price. Mine is about £5m, to cover the fact I'd never get another sysadmins job and to support me in a safe, secure lifestyle in a country with no extradition treaties.

        2. Anonymous Coward
          Anonymous Coward

          Re: Comparison

          I expect BlockChain will put an end to it.

        3. The Nazz

          Re: Comparison

          It's possible to not get noticed though :

          Always makes me chuckle.

          A huh, what model is it ....

    2. The Nazz

      Re: Comparison

      Take it a step further.

      I'd be interested to know how many "new" businesses have been created purely as a result of trusted employees taking ( more of a fraud by abuse of position than actual theft* ) the business data of their current employer and using that to start a rival business. No hard graft to get started, no hard thinking to come up with ideas for a product, no research of gaps in the market, just simply taking someone else's business away.

      Normally i'm with the "copying" is categorically not theft brigade, by a long chalk, but this sort of caper is as close to "theft" as can be. Of course, the customers are usually happy about it though.

      In my experience, not an unusual event at all.

  4. Christian Berger

    Well of course...

    if there is nobody inside the company who collects data, nobody outside can steal it.

    It's not the leaks that are the problem, it's the collecting. If you business model is based on collecting data you normally shouldn't have, maybe your business model needs to be outlawed.

    1. AMBxx Silver badge

      Re: Well of course...

      Um, like having the company details of my customers so that I can send them an invoice?

      There's more to data collection than marketing crap from Facebook et al.

      1. Doctor Syntax Silver badge

        Re: Well of course...

        "Um, like having the company details of my customers so that I can send them an invoice?"

        Or like collecting and keeping your customers credit card details so they don't have to enter them again? Unencrypted?

  5. Chozo

    I still get good results moonlighting as an office cleaner. Oops I knocked the bin over, I,ll just get under the desk..

    Mines the one with a pocket full of key loggers

  6. Sixtysix

    25% is WAY TOO LOW

    One in four data breaches that have been owned up to...

    I refuse to believe, given the current definitions of Personal / Sensitive / Official data that the real figure is anywhere near as low as 25%...

    But we will never know how high it really is as most minor breaches cannot be traced, and will go unreported.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like