TMI: The Blurry Line Between Professional and Personal Data


Robert Tie, CFE, CFP
Contributing Editor, Fraud Magazine

Some of us complain about the blurring boundaries between our work and personal lives, but fraudsters love it. Why? Because the way many of us use personal email accounts and social media sites influences our approaches to working on corporate systems. However, the relatively indiscriminate sharing of personal data that so many consumer websites encourage is antithetical to the safe use of corporate information resources.

"Users are the predominant vector for cyber attacks on corporate systems," said Jim Butterworth, CFE, an ACFE faculty member and chief security officer at HBGary, a cyber-security consultancy in Sacramento, Calif. "Fraudsters know that the user is the weak link in system security."

Recent research shows how serious and widespread this problem is. In September, Symantec Corp., a maker of anti-virus software, released its 2012 Norton Cybercrime Report, which found that in the prior 12 months an estimated 556 million people around the world fell prey to cybercrime.

Responses to Norton's survey of more than 13,000 adults in 24 countries revealed that even though users were aware of the security risks they face online, many still didn't take steps to mitigate those dangers. While 75 percent of users said they believed cyber criminals focus on social networks, only 44 percent took advantage of applications that can protect them at such sites and only 49 percent use those sites' privacy settings to limit how much and with whom they share information.

When such computing habits persist at work, they can threaten the safety of corporate systems and hurt the bottom line. Another study, released in October, paints a clear, worrisome picture of how badly organizations need — but often don't have — effective cyber security programs.

The 2012 Cost of Cybercrime Study conducted by the Ponemon Institute, a privacy and security think tank, under the sponsorship of tech giant HP, found that the average annualized cost of cybercrime incurred by a sample of U.S. organizations was $8.9 million — 6 percent more than in 2011 and 38 percent more than in 2010. The 2012 report also found that the average corporation experienced 102 successful cyber attacks a week, up from 72 attacks a week in 2011 and 50 attacks a week in 2010.

It's clear that organizations — and the CFEs who serve them as employees or consultants — need to come up with effective countermeasures quickly. Sometimes, though, that's easier said than done.


Case in point: In October, a client of Butterworth's firm requested a routine assessment of its system security. During its analysis, HBGary discovered that five of the client's PCs were infected with a remote administration tool (RAT), a form of malware that surreptitiously executed commands the hackers sent it while the PC was connected to the Internet. HBGary also found that the hackers' software had been in place for more than two years, secretly monitoring the client's system and transmitting confidential information to a group that Butterworth's firm determined is located in China's Shandong province — the same region to which Google traced hackers who broke into its system in 2011.

Read more about Butterworth's case in the full article on