Hackers Not the Only Causes of Data Breaches

GUEST BLOGGER

Zach Capers, CFE 
ACFE Research Specialist

In the past year, the number of reported data breaches has increased by nearly 30 percent, according to a report from the Identity Theft Resource Center. While recent headline-grabbing events such as last month’s record-setting Home Depot data breach might lead one to speculate that the majority of these breaches are the result of malicious data thieves, research indicates that a greater number are caused by employee negligence and system malfunctions. According to the Ponemon Institute’s most recent Cost of a Data Breach analysis, hackers accounted for 42 percent of all data breaches, whereas employee negligence and system defects combined for 59 percent.

As employees are increasingly able to access and transmit company data between innumerable computing devices and various storage mediums, new avenues for data loss must be addressed. Unfortunately, business policies concerning emerging technological trends and other risks related to data security are often insufficient, outdated or simply ignored.

This predicament is exemplified at many organizations by the Bring Your Own Device (BYOD) movement of recent years. As the number of employees who depend on their personal devices to accomplish occupational tasks has increased, so too have the risks of potential data breaches resulting from these devices being unsecured, misused, or lost. Additionally, because the devices are owned by employees, the company has only limited control over how they are used. Consequently, the implementation of a formal and comprehensive BYOD policy is critical to alleviate increased data risks while also allowing organizations to realize the benefits of the BYOD craze. However, despite the pervasiveness of personal device use in the workplace, a recent TEKsystems report found that more than one-third of IT professionals surveyed reported a complete lack of communication regarding BYOD.

To address these and related concerns, the ACFE’s newest two-day seminar, Protecting Data and Intellectual Property, has been designed to provide a thorough understanding not only of BYOD, but also of other burgeoning data risks such as cloud computing, social media, social engineering and increasingly sophisticated corporate espionage techniques. Furthermore, the program provides anti-fraud professionals with a solid foundation concerning the key legal issues, prevention strategies and response plans critical to securing an organization’s data.

While high-profile hacker attacks understandably generate the most Internet clicks, sound data security policies and employee awareness can foster a more secure business environment that reduces opportunities for malicious data thieves.

Investigator Dives Deep Into Digital Data & Information

MEMBER PROFILE

Tyson Johnson, CFE, CPP
VP, Business Development, BrightPlanet  
Oakville, Ontario, Canada

Before even graduating from college, Tyson Johnson, CFE, CPP, VP of Business Development at BrightPlanet in Ontario, had spent hundreds of hours conducting surveillance, performing interviews, writing reports, conducting undercover investigations, and even testifying in court. Johnson says that his passion for fighting fraud is something that has always been in him. “I spent my summers and free time between studies working as a private investigator, cutting my teeth on suspect personal injury claimants for insurance firms,” Johnson said. “It started early in my life and has simply become part of who I am.”

What steps led you to your current position?  

I have always been passionate about 'intelligence' and its ability to help nations, companies and individuals to make better decisions by identifying risks and opportunities. While in university, I knew I wanted to enter the Canadian Security Intelligence Service (CSIS). I was fortunate to be selected by CSIS, and I enjoyed my time with that organization. It was during my years as an Intelligence Officer that I obtained my CFE credential and also became aware of BrightPlanet. After departing CSIS I held progressively more senior risk management roles, starting with a global bank, and then two global manufacturing firms, before having the opportunity to join BrightPlanet.

Did you always plan to pursue the role you are currently in?  

Actually, yes. For the past decade I have used BrightPlanet's services. I began speaking with their leadership five years ago and stated that should they ever wish to move its business into the mainstream (diversify away from government contracts) I would be interested. The phone call happened about six months ago, and the rest is history. I am very excited to help my fellow CFEs with their online anti-fraud objectives.

How do you think online investigations have changed in the last five years?  

Online investigations have changed and will continue to change as fast as the technology changes. Years ago, I remember conducting an investigation and obtaining an Anton Pillar (civil search order) to collect digital data devices for forensic review. That amounted to one desktop computer, one thumb drive and diskettes. Today, anyone looking to collect digital data will need to deal with laptops, smart phones, thumb drives, MP3 players, SD cards, DropBox accounts, Gmail accounts and social media profiles, all while ensuring privacy laws, data ownership issues and other legal issues are properly dealt with. Not to mention the difficulties we face with Bring Your Own Device (BYOD) strategies at the workplace. This happens when personal devices are used to access the Internet within a secure environment and employees have access to confidential information.

What career advice do you have for those just starting out in the fraud-fighting field?  

Become rooted in the fundamentals of fraud investigation, but remain innovative and open to embracing changes in the legal and technological landscapes. Find a good mentor and listen to their counsel. Become a lifelong learner in fighting fraud, and take pride in your work.

Read Tyson's full profile in the Career Center on ACFE.com.

BYOD Investigations: Take Charge and Develop a Plan

GUEST BLOGGER

Walt Manning, CFE
President of Investigations MD and Breakout Session Speaker at the Upcoming 24th Annual ACFE Global Fraud Conference in Las Vegas, June 23-28

A recent NBC article, Use your personal smartphone for work email? Your company might take it, serves as a wake-up call to fraud examiners about the types of evidence that is potentially available in Bring Your Own Device (BYOD) investigations. Many articles discuss the problems caused by BYOD programs, but fraud examiners need to focus on the idea that BYOD can also create new career or business opportunities for investigators who know the possible challenges with BYOD investigations and have developed plans to deal with them.

Consider this scenario:

An employee named John connects to the Internet at a coffee shop with his BYOD tablet. John bought the tablet, and he also pays for the cell data plan that he uses when Wi-Fi is not available. The company has no policy regarding the use of public wi-fi. John uses the free coffee shop wi-fi, which has no security and requires no login, to connect to the office to check email and download files needed for a project team meeting.

When the team John is working with arrives to discuss a company project, John activates a personal hotspot on his tablet, providing other team members with access to the Internet and also to his connection to the corporate network. The company has no policy or training regarding how the personal hotspot should be configured to ensure a secure connection, and provides no Virtual Private Network (VPN) capabilities for security.

All five team members are connected to their cloud-based personal email accounts on Gmail, Yahoo or Outlook. Not all team members are full-time employees – two are independent contractors hired for this project only.

Does this scenario sound familiar? If you were assigned an investigation related to the expense reports submitted by this project team, would you know where to start looking? The scenario above contains potential problems, and an investigation may be more challenging because of them. Knowing where to find the evidence you need and how to preserve it may just be the keys to breaking the case.

The red flags are there with the lack of security, lack of policies and training and general lack of protocols for using personal devices for business. But, with those challenges comes the opportunity to dig into more data and find more evidence.

Learn about BYOD programs and develop your own game plan that will make you the “go-to” person for these investigations. I will discuss this and more in more detail during my breakout session “BYOD (Bring Your Own Device), BYON (Bring Your Own Network) and the Evolution of Digital Forensics” at the 24th Annual ACFE Global Fraud Conference in Las Vegas, June 23-28. I hope to see you there!