University Data Breaches Underscore Need for Employee Security Training

Instead of a big training session that companies might just “roll their eyes and tune out,” organizations should make information security a part of the business process, Shaul said. This can be in the form of signs and other visual cues reminding users they can’t copy data onto unsecured drives, similar to how there are signs reminding users to use a shredder for sensitive documents, Application Security's Shaul said.

Even the best trained and security-savvy employee can make mistakes. So even with education in place, policy needs to be defined so that mistakes can be caught and to keep honest people honest, Ken Ammon, chief strategy officer at Xceedium, told eWEEK.

Good processes should prevent unsafe handling of information because they catch instances when the user is lax, Webb said. For example, forcing the employee to do a final check and documenting that the documents were copied to the correct server would ensure that mistakes are caught before it becomes a breach.

A security breach at the University of South Carolina Sumter exposed the Social Security numbers and other personal identifying information on the Internet for nearly 31,000 faculty, staff, retirees and students, according to TheState.com. While the breach was discovered in January, the university waited until March 1 to notify affected users, because the university wanted to ensure all affected people had been identified, USC spokeswoman Margaret Lamb told The State.

The breached server was located on the USC Sumter campus, but all eight campuses were affected, the university said. The security breach was caused by human error, but USC declined to provide additional details.

The 2010 data breach report from Ponemon Institute found that nearly 41 percent of the breaches in 2010 were caused by “negligence.”

Technical controls need to be in place as the last line of defense against accidental breaches, Credant Technologies' Webb said. As the user makes mistakes caused by lack of knowledge and the processes are not there to correct those mistakes, then having technology in place to catch violations would prevent the breach from happening. For example, software that prevents sensitive information to be written on flash drives, even temporarily, would ensure data won’t leave the corporate environment if the device is lost, he said.

Data breaches are a growing problem. The 2010 data breach report from Ponemon Institute found that the average cost of a data breach is approximately $7.2 million. That hefty price tag includes the cost of hiring a third-party security auditor with computer forensics knowledge to investigate what happened and fix the issue, notifying all the users and the state government, setting up a call center that can handle questions from worried victims, paying for credit monitoring services, lost productivity and sales as customers leave, Shaul said. In a heavily regulated industry, compliance fines can also increase the cost of the breach, he said.