Your biggest problem? People.

Organizations in every industry sector — private and public — need to step up to the plate and develop comprehensive risk management strategies that include strong ongoing data protection and security awareness programs to help protect the PII and other sensitive information of their customers, clients and employees.

As Barbra Streisand sang, "People who need people are the luckiest people in the world." Unfortunately, they're also the major cause of data breaches.

Organizations — as we reported in parts one and two of this study — could drastically reduce and prevent most internal and many external data breaches if they implemented risk management strategies with ongoing data protection and security awareness programs to educate all employees and third parties.

Analysis

"No matter how much companies spend on digital defenses, hackers often still get in [to computer networks] by persuading an employee to click on a link or cough up a password," wrote Danny Yadron in his April 19, 2015, article, The Man Who Hacks Your Employees, in The Wall Street Journal. Are the people problems that underlie internal threats more troublesome than they appear? Yes, because, in addition to driving the internal  threats, these problems also drive most of the external ones and, as a result, increase the risk of a data breach. Why is that?

As shown in part one of this study, a variety of internal and external causal factors precipitate data breaches — those driven by external hackers are the most compelling. Also, constant threats include current and former employees, third-party contractors (such as external auditors and lawyers) and those who are responsible for disposing of data properly because they all have access to records containing personally identifiable information (PII) and are entrusted to use it in a professional manner.

Also, if the security measures that protect PII are inadequate, then the probability of data breaches from either internal or external threats is fairly equal. And if organizations don't secure their data centers by allowing unauthorized entry or if they leave physical records exposed or devices containing them unsecured, then possibilities of data breaches in the form of internal or external thefts is increased.

These situations, of course, can lead to current or former employees and others stealing records. If organizations don't secure internet and intranet networks with the most recent software and industry-standard network data security firewalls, records are exposed to internal and external hackers. Risk is also elevated when organizations 1) don't have policies to prevent terminated employees from accessing PII and 2) don't screen and train third parties such as companies hired to transport or dispose of sensitive records plus employees, auditors and consultants who have access to PII and transfer it to their laptops and take it outside the organization.

Organizations have the power to prevent the vast majority of these data breaches if they can control their major cause: simple phishing schemes. For example, in the opening case of part one, 30 banks lost more than $100 billion because of a simple phishing scheme that tricked employees into giving control of bank transfer activities to external hackers. (See The Great Bank Robbery: Carbanak cybergang steals $1bn from 100 financial institutions worldwide, Viral News, Feb. 16, 2015 at Kaspersky Lab.) Wow! This beats working for a living. If the bank had trained these employees properly (e.g., in this case, how to detect phishing schemes), these losses could've been prevented.

But therein lies the rub: Many large and small organizations — cognizant of the great risks — are attempting to train their employees, but still are seeing data breaches. What to do? We have some recommendations.

Firm enforcement with a smile

The following security measures and guidelines, although not comprehensive, are some excellent starting points for organizations to include in their security awareness and data protection programs. However, none of these methods will work if top management doesn't actively and humanely espouse them. The tone at the top concept doesn't just work to compel C-suiters to avoid bad conduct but to also exhibit good behavior.

We can't stop all data breaches because people are going to make non-malicious mistakes that provide the opportunities for PII to be compromised, such as leaving their desktops on when taking lunch breaks or forgetting to shred documents before disposing them in a trash receptacle. But we sure can do a better job of controlling these types of threats and preventing the more malicious ones.

Organizations have the power to prevent the vast majority of these data breaches if they can control their major cause: simple phishing schemes.

These basic suggestions, although not meant to cover every aspect of data security, will be good starting points to help reduce and manage risks associated with internal and external data breaches and thus help to protect PII and other important information. Some are obvious but still easily dismissed.

1. Require employees at all levels to buy into mandatory ongoing (the keyword is ongoing) security-awareness and data-protection programs for understanding internal- and external-threat risks and emerging cybersecurity schemes.
2. Require former employees, especially those who have been terminated, to turn in any records or devices containing PII. You can withhold final benefits or severance packages until you're assured that they've done this. Institute policies that prevent them from gaining access to PII.
3. Evaluate data protection policies of service providers to ensure they're adequate to safeguard PII.
4. Evaluate policies to protect and safeguard PII stored in the cloud.
5. Safeguard PII on all devices, transmitted wirelessly or through public networks Advanced Encryption Standard systems such as 128-, 192- or 256-bit sizes — not the commonly used 56-bit standard that cybercriminals can easily crack and return to plain text.
6. Require employees to use complex passwords for all their devices and change them at proper intervals.
7. This measure might be drastic, but consider requiring employees to not use any digital storage devices, such as thumb drives, and to check-in all personal devices at a central desk in each building.
8. If employees transport data from facilities, they should take extra precautions to protect it, especially if they're moving it via portable devices, such as laptops, smartphones, tablets, etc.
9. Screen third-party contractors and require them to participate in security awareness programs. Require background criminal checks of those with unknown reputations.
10. Use up-to-date firewalls, anti-malware and virus software.
11. Require employees and third-party contractors to inform the organization if data records in their possession are lost or stolen.
12. Restrict the entry of individuals into the data center to those with the proper credentials.

The following established practices, from a data-recovery site, can help maximize internet network data security.

• Plan for an optimum internet network data security by balancing between access to servers and restricted access through network data security.
• To help prevent direct access to servers by unauthorized personnel, outsource the hosting of corporate services to a data center that can provide better internet network data security, data-center disaster recovery and rigorous physical data security.
• Your internet network data-security policy will work if you get employees' buy-in, disseminate information handouts to all employees and contractors, and conduct surprise internet network data-security audits.
• Update all software with the latest patches to help reduce the hackers' attempts to exploit the vulnerabilities of the operating systems, databases or even specialized packages such as customer relationship management (CRM) or enterprise resource planning (ESP) packages.
• Use an industry-standard, network data-security firewall to safeguard your network from intrusions. Conduct periodic audits of your internet network data-security firewall rules.
• Use new internet network-security strategies such as regular remote-data backups and data replication even when your systems are alive. Regularly safeguard your backups because careless backup handling could be your biggest network internet security threat.

According to the data-recovery website, intrusion detection is the basic driver for networking security and is the science of the detection of malicious activity on a computer network. Intrusion detection, strongly related to the internal and external causal factors identified in this study, is classified into:

Internal intrusion detection

Misuse or malicious activity compromising networking security from within the computer network (typically internal organizational fraud), which reflect the "internal" causal factors of this study.

External intrusion detection

Hacker or cracker attacks from outside the computer network compromising networking security that require external intrusion detection, which reflect "external" causal factors.

Typical intrusion detection methods

Out-of-the-ordinary exceptional or anomalous intrusion detection

This method relies on checking for any new or strange accesses to the computer network. (It's also known as behavior-based intrusion detection for networking security.)

Intrusion detection based on past patterns of intrusions

Some standard patterns of intrusion into computer networks and pattern-based intrusion detection rely on checking if some of these patterns are repeated on computer networks. (It's also known as knowledge-based intrusion detection for networking security.)

According to the data-recovery website, if an organization has limited qualified intrusion-detection staff, then knowledge-based intrusion detection systems are better than behavior-based intrusion detection systems for networking security because the number of false alarms is less in knowledge-based intrusion systems.

Further classifications of intrusion detection

Host-based, intrusion-detection methods for networking security

Host-based intrusion detection software constantly monitors computer servers to normally detect internal malicious activity in log files.

Network intrusion detection methods for networking security

These methods, which rely on monitoring network traffic and detecting intrusions into host computers via real-time or offline logs, are typically useful for networking security of external computers.

Data Recovery offers this advice to make intrusion detection systems more efficient:

• Data overload is the most pressing problem for intrusion detection systems for networking security. Organizations need to devise techniques to minimize the quantity of data analyzed by intrusion-detection systems.
• Intrusion detection data-mining techniques for networking security is the only option for easing knowledge-based intrusion detection and making the whole concept of intrusion detection for networking security more manageable.

Step up to the plate

The findings of this three–part study of Privacy Rights Clearinghouse (PRCH) data breaches and related compromised records over 10 years strongly indicate that organizations from every type of industry are experiencing serious long-term problems with various types of internal and external data breaches and are therefore relinquishing millions of compromised records. Hence, the FBI continues to rank identity theft as the No. 1 fraud problem.

The situation actually is much worse than indicated because the data breaches analyzed in this study represent only a small but representative sample of the actual data breaches, and the reported compromised records are grossly understated, according to the PRCH. Most U.S. organizations, at least, that incur data breaches are reluctant to report them because they take advantage of loopholes in state data notification laws that allow them to opt out.

Organizations can develop more workable safeguards for protecting records by classifying data breaches, related compromised records and industry sectors with the practical methodological framework of the Holtfreter and Harrington model.

Organizations in every industry sector — private and public — need to step up to the plate and develop comprehensive risk management strategies that include strong ongoing data protection and security awareness programs to help protect the PII and other sensitive information of their customers, clients and employees.

I know you're convinced. But in my wildest dreams, I'd love to gather top management in a huge arena and preach these prevention, detection and deterrence methods and tell them the financial and behavioral expenditures far outweigh the costs in the aftermath of data breaches.

Our recommendations in these articles are just a starting point that can lead to reducing identity theft throughout the world. Good luck!

Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Washington. He's also on the ACFE Advisory Council and the ACFE Editorial Advisory Committee. His email address is: doctorh007@gmail.com.

Adrian Harrington, an Associate Member of the ACFE, is Holtfreter's research assistant and a former student in his Fraud Examination class. His email address is: aaharrington87@gmail.com.