Employees are willing to steal data from their employers and for the most part there is nothing being done to stop them.  Two separate studies published this week show that insiders are walking off with customer lists, plans and proposals, and sensitive product information.

Dark Reading has more details -

Almost half of the respondents (48 percent) admitted if they were fired tomorrow they would take company information with them, Cyber-Ark says. Thirty-nine percent of people would download company/competitive information if they got wind that their job were at risk. A quarter of workers said the recession has made them feel less loyal toward their employers.

As we have noted before, much of the insider theft (42% in one survey) is committed with the help of USB flash drives.  In response, Kanguru is developing management tools to give companies more control over their USB thumbdrive fleet.  With KRMC, administrators currently have the power to remotely disable or delete employee flash drives when the individual is leaving the company.  Next week Kanguru will be announcing a powerful new add-on module specifically designed to keep unauthorized flash drives out and prevent data leakage via USB devices.

Data Security, Portable Storage

Health Net Inc. announced this week that it lost a portable hard drive containing the patient data of 1.5 million customers.  The data was not encrypted.

Connecticut Attorney General Richard Blumenthal said he was investigating the matter and why it took Health Net six months to report the healthcare breach.

“My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”

There have not been any cases of fraud linked to the incident, but Health Net will be picking up the tab for credit monitoring services for all impacted customers.

Data Security, Healthcare

A recent report from ICSA Labs and Verizon Business found that a majority of security products failed to perform when first tested by independent labs.  Most products “require two or more cycles of testing before achieving certification”, showing that users should be skeptical of claims made by vendors unless they are backed up by independent testing.

Rounding out the top three is the startling finding that 44 percent of security products had inherent security problems. Security testing issues range from vulnerabilities that compromise the confidentiality or integrity of the system to random behavior that affects product availability. Even though it can be a demanding process, certification with a trusted, established third party is critical to verifying product quality, states the report.

The industry standard for encryption products is the FIPS 140-2 certification given jointly by the US Government (NIST) and the Canadian Government (CSEC).  This process requires vulnerability testing by a third-party lab followed by Government review.  FIPS 140-2 ensures that encryption products do what they say they do, and is the recommended security level for HIPAA and other regulations.  Click here for more info on the cryptographic module validation program (CMVP).

Data Security, Malware

Despite having readily available solutions, our public institutions continue to expose personal data by losing unprotected USB flash drives.

This week the culprit is Roane State Community College, who let an employee copy names and social security numbers to an unencrypted 4GB USB stick.  The drive was promptly stolen from an unlocked car and the College will be paying for credit monitoring for 15,977 current and former students and employees.

Data Security, Portable Storage

A new report from Microsoft highlights the threat from malware that automatically loads from USB flash drives.

The Washington Post Security Fix has a good summary:

In its latest “Security Intelligence Report,” Microsoft counted the number of threats detected by its anti-malware desktop products, and found that the Conficker worm, along with a Trojan horse program called Taterf which steals passwords and license keys for popular computer games, were detected on 5.21 million and 4.91 million Windows computers, respectively.

Kanguru takes the autorun threat very seriously and is designing its secure flash drives to counter the risk.  The Defender Elite encrypted flash drive features a secure vault that launches Kanguru’s encryption application.  The vault cannot be altered by hackers or used to launch autorun attacks.  In addition, Defender Elite will soon feature an onboard anti-virus/anti-malware scanner that will check all files that are stored on the device.

Data Security, Portable Storage

GCN reports that Congress may (or may not) pass federal data breach legislation this year.  The Senate Judiciary Committee is currently considering a bill that would set standards for protecting sensitive personal information.  Staffers are optimistic that something will get done this year.

A patchwork of state laws has grown up in recent years requiring organizations holding personal information to notify individuals when that information is exposed. This has been a big step forward in data protection, giving millions of potential identity theft victims a heads up when they might be at risk and highlighting identity theft as a major crime issue. But just about everybody agrees that a national standard would be an improvement, although there is concern that federal preemption of state laws could gut some of the stronger standards states have put into place and might limit citizens’ legal recourse.

It is not clear whether Federal legislation would specifically require encryption of sensitive data, similar to Massachusetts and Nevada state laws.  It’s certainly an effective way to avoid a costly data breach.

Data Security, Government