At a recent presentation to state risk managers in Olympia, representatives of the law firm BakerHostetler, which includes a number of attorney’s who specialize in resolving information security data breach issues, identified that cyber attacks using Phishing and Malware was the cause of 31% of the more than 300 data security incidents the firm handled nationwide in 2015. This is not much of a surprise given the recent increases in the number of these types of attacks.
The second highest category identified at 24% was Employee Action/Mistake, which includes failures of employees to follow organizational policies resulting in a data breach.
Interestingly, the next highest causes of data losses include other categories which also have significant ties to how authorized users interact with information technology and the data stored and manipulated with that technology. These include: Loss or Theft of a Device (17%); Vendor/ Contractor Actions (14%); Internal Employee Theft (8%); and Lost or Improperly Disposed Data (6%).
These statistics show that the human component of data protection is significantly more important with regard to modern IT security issues than is the technology component.
The underlying source of ALL of these top kinds (92%) of data breaches can easily be attributed to the authorized users of the compromised data and either a deliberate disregard for organizational policies or a lack of information security awareness on their part.
Clearly, it is important for each of us to understand that we each need to constantly protect the college data we access during the course of our daily work, and to ask questions of our supervisors when we are not certain how best to do that.
The college has published a number of policies and procedures related to technology use by college employees and the protection of college data. Here are links to a few of those current documents:
- 2550 Federal Privacy Act Disclosure: of Social Security Numbers
- 2600 Family Education Rights and Privacy Act: Disclosure of Student Information
- 2600P Family Education Rights and Privacy Act: Disclosure of Student Information (Procedures)
- 5000 Acceptable Use of Bellevue College Computers
- 5000P Acceptable Use of Bellevue College Computers (Procedures)
- 5150 Acceptable Use of the Bellevue College Network and Bellevue College Data Management Systems
- 5150P Acceptable Use of the Bellevue College Network and Bellevue College Data Management Systems (Procedures)
- 5250 Information Security
- 5260 Security Breach Notification
- 5260P Security Breach Notification (Procedures)
Take some time this week to update yourself on the information in these important documents and, as always: Safe Computing!