I recently read about a data breach that came into public light a few weeks ago in South Carolina at the Savannah River Site (SRS), a nuclear reservation owned by the U.S. Department of Energy. This breach exposed personal information of over 12,000 employees. The state of South Carolina has been in the news over the past few months because of a massive governmental data breach caused by an international hacker that exposed millions of credit card and social security numbers.
At first I thought the SRS breach might be similar or related to the other breach, but I quickly realized there was something different about this one. According to Carla Caldwell of the Atlanta Business Chronicle, officials at the site say that the breach wasn't caused by a cyber attack. However, despite the fact that there was no hacking involved, employees are still being told “to be vigilant in monitoring financial transactions and emails or phone calls relating to such personal transactions.”
What does this mean? It means that:
- Despite the absence of a malicious hacker, a data breach still occurred, and
- Because the breach had to be reported, it likely exposed employee financial data such as credit card information or social security numbers.
Many people think that all breaches are caused by vigilante hackers, and while cyber attacks are a real threat, the truth is that a HUGE proportion of data breaches are caused by simple employee mistakes and theft of devices such as disk drives, backup tapes and personal devices such as laptops and smartphones.
According to the PricewaterhouseCoopers 2012 Information Security Survey, over 80% of enterprise data breaches are caused by employee errors. Many of these breaches occur on unencrypted mobile devices. In the healthcare industry, the Ponemon Institute found that nearly 40% of data breaches were caused by employee negligence.
Serious breaches occur inside companies simply because mistakes are made, thefts happen, and the right technology is not in place to protect sensitive data. Some of these events include:
- Backup tapes and disk drives are stolen out of cars
- Laptops and other personal devices such as iPads and phones are stolen out of cars
- Tapes, drives, and personal devices are lost (Think lost luggage, leaving items on a train)
- Employees email files containing sensitive data to their home devices
- Unauthorized employees view sensitive data at work because the right protocols are not in place to protect that data.
However there's a way to protect data even if it gets into the wrong hands: Encryption. If the data is encrypted it will be completely unreadable if it is stolen or mishandled. Protecting your encryption keys is also a critical piece in protecting sensitive data. If your encrypted backup tapes get stolen out of your car, but you've stored your encryption keys on those tapes, the thief will be able to use the keys to access the information.
To learn more about protecting encrypted data with encryption key management, download our resources package, “Encryption Key Management Simplified.”