The InfoWatch analytical centre presents a summary of the past year’s internal IT-security incidents around the globe. The goal of this project is to analyze all confidential data leaks (including personal data leaks), reported by the media during the past year. We have analyzed leaks from around the world in all types of corporations.

The InfoWatch analytical centre started its leak database in 2004. As of today, the database contains records on several thousand leaks. The database served as the basis for this study.

The Source of Data Leaks

Last year, researchers agreed that there were no obvious geographical patterns regarding data leaks. This does not mean that such patterns do not exist, however. If most of the information about leaks is taken from the media, taking country of origin into account distorts the results significantly. Every country has its own media laws, its own rules and practices for keeping data confidential, not to mention language barrier problems. This is why country distribution was not included in the survey.

The following diagram represents a leak distribution based on organization type. Last year we divided organizations into government-based and private. This year, in addition to government offices and private corporations, we have included not-for-profit organizations (mostly educational institutions).

Leak distribution based on organization type.

The results of a similar InfoWatch study in 2006 were split at 34% for government offices and 66% for private organizations. In 2007, the share of government offices dropped to 22%. Since no data regarding a change in leak publication policies has been noted, it is logical to assume that government offices have increased their internal security measures.

In general, it is easier to introduce the required security measures in government offices, since it easier to bypass legal problems. This includes a general ban on the viewing of messages broadcast over communication channels that is present in most countries. The means to bypassing this ban are different for each country, yet it is obvious that such an act is easier for a government office to carry out.

Another reason for the drop in government data leaks is an increased awareness of the problems associated with protecting confidential data. The media and, as a result, the public are interested in publicizing all data leaks, including those that are unlikely to cause any harm, in addition to truly dangerous leaks that usually involve the government. The number of organizations processing confidential data has increased, and is made up of mostly non-governmental structures.

It is worth noting that the percentage of educational institutions in the study is rather large. On one hand, there is no strong commercial incentive to protect client data (students’ data, in this case); on the other hand, employee discipline in such institutions is considerably lower than that of public servants. Both of these factors make a drop in students’ data leaks in the near future highly unlikely.

The InfoWatch analytical department predicts an increase in the overall amount of data leaks over the next three years. The share of governmental leaks will continue to slowly decline due mostly to an increase in the amount of organizations that process personal data. The difference in security measures between the governmental and private sectors is negligible, and will remain so in the foreseeable future.

Nature of Leaks

The following diagram represents a leak distribution based on data type. Commercial secrets and know-how are combined under one category, since they are classified as being the same in most countries (although know-how technically belongs to intellectual property in Russia – a new addition to Russian law). Moreover, such legal distinctions are often impossible to ascertain from a media analysis. The “other” category includes government secrets and situations where the data type is unknown.

Leak distribution based on the confidential data type.

In a similar InfoWatch study carried out in 2006, the personal data percentage was slightly lower (81%) as opposed to the current 93%. We believe that this increase goes beyond the statistical error margin and represents a real rise in personal data leaks. The value of personal data increases every year. As the economy becomes more and more “virtualised” and e-business develops, more and more ways to commit identity theft arise, hence the increase in the demand for personal data. The value of other types of confidential data is growing as well, but at a much lower rate than that of personal data.

A further increase in the value of personal data is expected, but it is unlikely that the overall number of leaks will increase, due to an increase in internal security measures.

Leakage Channels

Knowing possible data leakage channels is incredibly important for developing software-based and organizational security measures.

The following diagram represents a leak distribution based on the medium that was used to move the data outside the data system.

Leak distribution based on medium.

In comparison with 2006, the percentage of portable devices has decreased significantly (from 50% last year to 39% in 2007), while Internet channels have increased (from 12% last year to 25% in 2007). The percentages of other media are within the statistical margin of error, and are thus deemed unchanged. As the amount of leaks via the Internet increases, so does the need for online data leakage prevention systems.

It is interesting to note that last year only one case of an email-based leak was reported. One would presume that this channel is the most available and easiest to use. However, it is just as easy to control the email flow as it is to abuse it. In addition to serious anti-insider security systems, the market offers a vast array of primitive ways to protect email traffic. These are usually oriented on the messages themselves, since they are easy to view and archive. This acts as an obvious deterrent from using this channel to pass on confidential data. Sending confidential data via email by accident is also rather difficult.

When creating and integrating leak protection systems, it is important to note which leakage channels are currently the most “popular”.

If the aforementioned statistics are broken down into intentional and accidental leaks, we will see that both Internet and portable devices are the most popular channels for accidental data leaks. More often than not, it is a chance laptop theft (where the data is not intentionally targeted) or accidental file sharing. For intentional data theft, the most common channels are “other” and “undiscovered” (such as the theft of a desktop computer or a hard drive).

Leak distribution based on medium for intentional (top) and accidental (bottom) data leaks.

When integrating a data prevention system at an organization, the difference between the “intentional” and “accidental” statistics will be an important factor. For example, after installing an Internet traffic control system (the blue sectors: 27% accidental and 18% intentional), the system can prevent all 27% in the first case, but a lot less than 18% in the second. The malefactor`s actions are deliberate and often he knows about the prevention system. Therefore, he will try to use different channels that are not subject to control. Since the discrete use of such prevention systems is virtually impossible, the efficiency of preventing intentional data theft will be lower than for the same areas in the ‘accidental’ diagram.

Separating the intentional incidents from the accidental ones is straightforward. The only area that may cause problems is computer theft. Since we are looking specifically for data leaks, the demarcation is as follows. If the thief wanted to steal the data, then the theft is intentional. If he wanted to steal valuable hardware, then the data theft is secondary and is defined as accidental. Fortunately, the media almost always hints at the thief’s true intentions.

The following diagram shows the leak distribution according to intent.

Leak distribution based on intent.

The previous study had a similar distribution (77% and 23%). The difference between the 2006 and 2007 results can be classified as statistical fluctuation. We are not looking at possible reasons for this difference.

It is evident that even without combating malicious insiders, and focusing only on preventing accidental data leaks, we can lower the total amount by three quarters, which substantially lowers losses. The prevention of accidental leaks alone saves a significant sum of money, which is sufficient grounds for integrating a prevention system.

Latency

Many data leaks that show up in the media occur during various modes of data transfer, when two or more parties end up blaming each other. Another common occurrence is when a leak is visibile to outsiders. For example, it could be visible to the company’s clients or indexed by search engines. Very few data leaks are reported from within a company, as most companies are keen to hide them. When there are no outside witnesses, this is easier to achieve. In some countries reporting a leak is mandatory, even if no harm is caused. Nevertheless, it is possible to hide a leak.

As such, a significant amount of confidential data leaks go unreported, especially if only one organization is involved. Therefore, the statistics for such events are probably unreliable.

Trends

The following trends have been identified in the ILDP (Information Leakage Detection and Prevention) market:

Lack of standards and a unified approach

It is important to note that despite the fact that many companies offer data leakage prevention software, no single standard for such software has been developed as of yet, neither on the level of legal standards, nor on the level of business practices. There are also no noticeable similarities in the technical demands for ILDP solutions among customers.

Then again, the creation of standards on similar markets (antivirus and antispam protection) took a few years.

Inefficiency of purely technical solutions

Each problem has to be dealt with using the appropriate methods. Since the problem of data leakage is socio-economic, the solution must rely on socio-economic measures. Using technical methods is possible, but only as policy enforcement tools. Solving such a problem with purely technical means is impossible. Each technical solution will have a counter-solution, etc.

In addition to that, the introduction of legal questions complicates things. A person’s privacy is protected in every country. In many countries, such rights are inalienable, meaning there is no way of forfeiting them. Establishing a data leakage prevention system in such a way that it does not conflict with the local laws is difficult. This requires the participation of legal experts, in addition to engineers, from the very beginning of a project.

Despite these problems, most of the solutions on the market are straightforward technical solutions, which result in the basic filtration and monitoring of all traffic that enters and exits the protected network perimeter. Of course, such primitive solutions are easily exploited both by malicious insiders as well as loyal employees. In addition to that, they often lead to a breach of the employee’s constitutional rights and can lead to legal risks for the organization. Purely technical solutions may also antagonize employees or reduce loyalty. Such solutions can cause more harm than they prevent.

Organizational, financial and legal questions can be solved only if leak prevention starts from those areas – when the project is developed by the relevant experts and not by the “tech guys”. The technical side of the question is secondary.

Lack of a Complex Solution

It is important to note that data leakage prevention software developers rarely use a complex approach. Usually the solution protects only one or two data leakage channels, mostly web and email traffic.

Even if controlling one or two channels has some effect against accidental data loss, it is completely useless against malefactors.

Integration and Implementation

At first glance, integrating a data leakage solution into the communication channels and software is beneficial. However, not a single integrated solution is currently available on the market. The closest thing available right now is a software interface for activating preventative software (including data leakage prevention). However, such interfaces are currently rare in firewalls, routers, access points, etc.

However, the developers are actively working on this area. Certain developers have bought ILDP products in order to implement them into general products.

It is unlikely that a fully integrated solution will appear in the next few years. Similar products, such as antivirus and antispam products have not been integrated into email servers and operating systems yet.

Introduction from the CEO

On behalf of InfoWatch, I welcome you to our – and the world’s – first-ever annual study on the problems of internal IT security in Europe. Our findings are based on surveys we conducted with a range of middle- and upper-tier IT management professions from 410 companies across Europe.

Europe’s IT professionals expressed a range of concerns on the subject, with theft by company insiders occupying pole position – concerns we have found they share with their colleagues both in the US and here in Russia.

Data leakage is a new kind of enemy. It will be many years before the problem is completely understood, systems developed and fully incorporated into the workplace. But as a society, a business community and an industry, things are clearly moving in the right direction.

Whereas the public’s attention was previously directed towards virus epidemics and hacker attacks, it is now shifting to the more relevant problem of safeguarding information resources from internal attack. Of course, an integrated technological solution is only one part of the overall solution. But without it, factors such as employee training and a cogent internal security policy can never be enforced or even shown to be effective. Now that a broader base of corporate clients appreciates this, the market for specialized IT security systems is taking shape.

Data on the real number of information leaks in Europe over a given period has not always tracked reality. The EU¹ – unlike the US – has had no directives requiring the mandatory notification of victims in cases of data breach, and companies have been slow at times to initiate notification procedures.

The reasons are not difficult to appreciate. It is natural that company management would fear the major costs – both financial and in terms of lost reputation – which accompany a data leak. And rather than initiate costly procedures against themselves, some have opted to hope that the problem will just go away, especially in the typical case of a lost or stolen laptop. Here, it is tempting to hope that those in possession of it will not appreciate the potential value of the unencrypted data it contains. Such a policy of avoidance can result in hefty losses for those whose data is held on the computer and who become victims of identity theft as a result.

Many companies have, of course, been proactive in dealing with such leaks, notifying those affected, setting up advice hotlines, providing bank account monitoring and bringing in the law-enforcement agencies.

But while, to date, admissions of data leakage across the EU have relied on companies choosing to make that information public – a decision which has depended on how the company perceives its best interests in the circumstances – that may soon change.

The EU is discussing a directive² which will oblige companies to inform those affected within a set period. If passed, it will add a further layer of consumer protection (albeit after the fact) to issues of data leakage, and lead to greater transparency on an issue which can affect any one of us at any time. In Britain, meanwhile, the Financial Services Authority³ (FSA) is involved in moves which would empower it to order all regulated financial companies to immediately inform customers of data security breaches.

While we welcome the growing appreciation among IT managers of the importance of viable preventative solutions to internal information security, we look forward to being able to share with our partners and clients the clearer picture of data leakage across Europe that the proposed EU directive will stimulate.

Key conclusions

• Europe’s IT professionals overwhelmingly indicate (78%) that data theft represents the primary information security threat – more significant than either viruses or hacker infiltration
• Of all possible results of compromised information security, the threat of leakage of confidential information is keeping more members of the IT department (93%) awake at night than any other
• Europe’s primary data leakage channels are identified as portable storage devices, e-mail, and Internet-based channels such as web-mail and forums
• Only 11% of those surveyed were confident their company’s information security had not been breached over the last year – a figure which closely mirrors the number of companies with anti-leakage solutions in place – with 42% admitting to between 1-5 breaches and 37% unable to say with certainty that that no breach had occurred
• The lack of industry standards is highlighted as the primary obstacle (42%) to wider implementation of anti-leakage technologies
• Perceived solutions include the deployment of comprehensive anti-leakage software, the implementation of appropriate organizational measures – such as clear and consistent internal security policies – controls on external network access, and raising staff awareness and discipline through training

Methodology

The survey was conducted by the InfoWatch Analytical Center and included detailed responses from 410 companies between January 2nd and March 2nd 2007.

Responses were collated from:

• Visitors by European IT trade exhibitions attended by InfoWatch
• Seminars and conferences organized by InfoWatch and its partners
• Personal and telephone interviews with representative IT professionals from companies
• E-mail correspondence with representative IT professionals from companies

In all cases, the respondents answered a set number of questions according to consistent rules. Upon conclusion of the survey, we offered respondents the opportunity to comment freely on the topic which concerned them most.

Statistical processing and results analysis were carried out by the InfoWatch Analytical Center. Percentages are rounded off to the nearest one percent.

Note: Total percentages for some answers exceed 100% due to the use of multiple-choice questions.

Respondent profile

As with all our surveys and research papers since 2004, the respondents were all managers or senior employees specializing in IT and information security. The survey respondents themselves, their responsibilities and their companies’ area of work were chosen to reflect a broad representation of European industry. And all those who took part are responsible for decision-making in the area of corporate data systems development.

The majority (67%) of the respondents’ companies (Fig. 1) has between 500-5000 employees and 78% have between 100-5000 workstations on site.

These two indicators taken together show that our survey was drawn predominantly from medium-sized and larger medium-sized companies.

Fig. 1. Number of employees

Fig. 2. Number of workstations

We approached (Fig. 3) a broad swathe of companies in terms of business activity.

Fig. 3. Business sector

All our survey respondents were directly involved in IT and information security issues, with upper-tier managers making up 67% of the total.

Fig. 4. Positions held by respondents

The sheer number of specialists within large and medium-sized companies who answer for the security of information indicates how the problem is increasingly being taken seriously. Undoubtedly, this is a very positive trend because data protection plays a key role in the stable development of any organization.

Meanwhile, small businesses are still working without information security specialists, and in some cases they have no full-time IT specialist at all. These organizations prefer to outsource their IT work to contractors or to ignore it altogether and deal with any problems as they arise as best they can.

IT threats in Europe

Clearly, the greatest IT threats are perceived (Fig. 5) as data theft (78%) and employee negligence (65%). This fact is significant, given that in many cases the two events are connected. Let us take a typical case of data theft where a laptop with unencrypted data is stolen from the vehicle of an employee or from an office. Had the employee not been negligent in applying the company’s information security policy of encrypting sensitive data, the loss would have been no more dramatic than the cost of a replacement laptop. And the laptop would, in all likelihood, have been insured in any case.

Viruses (49%) – which can be characterized as ‘background’ threats (i.e. they are typically not directed at a specific company and a generalized inconvenience affecting all, like bad weather) – occupy the centre ground. Hackers (41%) are seen as the highest-rated outside threat of a personal and motivated nature.

It is interesting to see hackers regarded now as only a moderate threat by genuine IT professionals given the widespread acceptance of their supposedly ubiquitous powers by the general public.

Fig. 5. Most significant IT threats
Note: Respondents could choose up to three options

We note that sabotage (15%) is on the radar, though not to the extent one might expect. Whereas the amount of damage a disgruntled employee can cause to a company may potentially far exceed that of even a motivated outsider (such as a hacker), the perception still lags behind the reality.

We are able to provide further insights by taking the findings from the previous survey item and dividing it into two basic categories – internal threats and external threats.

• External threats:
  • Viruses
  • Hackers
  • Spam
• Internal threats:
  • Data theft
  • Sabotage
  • Negligence
  • Fraud

We excluded the threat of hardware or software failure from the equation since it did not properly fit with the point of establishing threats of an intentional nature (by either commission or omission) from within and without. We then calibrated the findings to account for this change. We included data theft among internal threats since it occurs most frequently as the result of insider activity. Insiders are acquainted with company documents and are best placed to understand what information has potential value.

Fig. 6. External versus internal threats

It is interesting to see that the perceived threat of internal security breaches among those personally responsible for IT security is greater than that of hackers, viruses and spam altogether.

The problem lies in the fact that it is much harder to protect against internal threats than against viruses where all one needs to do is install an effective antivirus package. Internal threats require more. It is a multi-faceted – but at the same time, completely solvable – problem.

Internal threats

We have seen that the major information security threat to a company comes – potentially at least – from the people who work there. That being the case, it makes sense to look at how insider threats in Europe break down.

Fig. 7. Major internal information security threats
Note: Respondents could choose up to three options

Many internal threats are connected with each other. For example, fraud requires the distortion of sensitive information – typically, financial reports – and sabotage invariably results in the leakage of confidential information or data loss.

However, the predominance of confidential information leakage in the minds of European IT managers and executives as the leading issue firmly indicates the lack of fully integrated solutions covering this base.

Confidential information leaks

Given that a confidential information leak at the hands of insiders is the greatest information security threat, we asked our survey participants to identify the most serious consequences for their company from such a leak.

Fig. 8. Primary information leakage concerns
Note: Respondents could choose up to two options

Cases of confidential information leak are legion and the costs associated with one are well known. For example, the annual bank account monitoring costs per annum for even an average leak of 50,000 would be a minimum of 5,000,000 USD. And there are many other costs besides.

Nevertheless, direct financial costs were adjudged to be far less significant than the damage to reputation and loss of customers arising from a leak. Such an assessment indicates understanding among European IT professionals of the long-term damage such a leak can cause to a company’s underlying viability.

Next, the InfoWatch Analytical Center asked about the most common channels used by insiders to leak information from within a company.

Portable storage devices such as USB flash drives or backing-up onto a laptop were seen as the primary channel. However, Internet-based channels such as e-mail, instant messaging services, web-mail and forums were individually key causes for concern, and collectively the largest.

Fig. 9. Most common leakage channels used by insiders
Note: Respondents could choose up to three options

Of particular interest is the rating received for printers (54%). Further individual questioning of respondents revealed that some of those companies with cogent IT-security systems in place – based on either electronic data technology which filters outgoing traffic or controls on access to internal networks – still had concerns about printers. Data which they copy is neither filtered nor is it subject to network regulations. Such printers are an open door – and European IT managers understand this – and as such they are especially attractive to insiders as a means of purloining internal data.

We now turn to the question of the number of confidential information leaks over the last twelve months (Fig. 10).

We see that only 11% were able to say with confidence that none had taken place. Later in this report (Fig. 13) we find that this is close to the 16% of companies which currently have anti-leakage solutions in place. Meanwhile, the fact that 42% admit to having had between 1-5 leaks in the last year provides food for thought on two counts.

Firstly, it makes the need for the kind of legislation the EU is currently considering all the more urgent since, on the basis of this sample, the undisclosed leakage across Europe is widespread.

Secondly, is shows how woefully disconnected even the picture of frequent leaks we see in the press is from the underlying reality, and how data on the subject only really describes the tip of the iceberg.

Fig. 10. Leaks from companies in past 12 months

Regulation

Our survey then turned to the question of whether organizations in the EU should be obliged by law to notify people in the case of personal data being compromised (Fig. 11).

Almost 70% felt that there was either a severe or probable need; and this not from consumer rights organizations, but from people with much to lose professionally in the event of a leak becoming public knowledge.

Fig. 11. Need for EU legislation requiring leak notification

Over 50% of IT professionals felt that EU legislation should require organizations to protect the personal data it holds from insiders.

And while the costs of implementing a fully integrated anti-leakage solution are negligible compared with the colossal costs – direct and indirect – which such leaks entail, such legislation would certainly strengthen IT managers’ hand to more forcefully argue the need for such a solution to other members of the management team.

Fig. 12. Need for EU legislation requiring protection of personal data insiders

Means of defense

We turned next to the question of information protection systems companies have in place.

Anti-virus, firewall technologies and access controls on workstations were, understandably, the norm. The rise in the use of virtual private networks (VPN) – a private communications network often used by companies or organizations to communicate confidentially over a public network – was of particular interest. It means that companies are taking their network security seriously way beyond the confines of the intranet.

Fig. 13. Information security technologies organizations use
Note: Respondents could choose unlimited options

Anti-leakage systems are lacking across the board with less than one in six companies having a proper system in place. So what is preventing companies from buying in proper data defense systems (Fig. 14)?

Fig. 14. Obstacles preventing organizations using anti-leakage technologies
Note: Participants could choose unlimited options

Leading the pack we have lack of standards (42%). This figure is augmented by the perception that no technological solution exists (12%), and lack of skilled specialists (29%). The fact is that anti-leakage technology does exist – even though, evidently, not everyone knows about it – but it is still a relatively new field. And as such, it has yet to develop across-the-board standards. Many European IT managers are simply biding their time until the market matures and cut-and-dried market-wide protocols are in place.

By standards we mean not only procedural norms or staff recommendations, but an entire, integrated approach to dealing with internal security issues. In the absence of such a range of standards covering each aspect of a multifaceted approach, managers find it difficult to justify the cost of buying in dedicated solutions or assigning a portion of their budgets to on-going implementation costs. In addition, other factors can make this a difficult issue for managers to decide on. The high number of suppliers with fundamentally different products in this area – all with their own particular strengths – can make it particularly tough to compare products and opt for one.

Despite their concerns about unified standards, the fairly even spread of opinion among European IT managers and specialists as to the best way to fight insider information leakage (Fig. 15) demonstrates that they realize that while technological solutions are part of the answer, they cannot stand alone without proper organizational procedures, training, and other security measures.

Fig. 15. The most effective methods of leakage prevention
Note: Respondents could choose up to three options

We turn now to the future. We are all agreed there is a problem. Let’s see what means companies are planning – if any – to use to deal with it.

Fig. 16. Organizations’ plans for deploying anti-leakage technologies over the next 3 years

We see here (Fig. 16) that, despite concerns about standards, a full third of managers expect to have comprehensive monitoring systems in place in the next three years. It may be that they expect the issue of standards to be sufficiently resolved in that time so as to allow them to buy in a solution with confidence. Alternatively, the pressure on companies to protect their data from insiders may simply become so great – due to further spectacular leaks or simple outside legislation – that managers will feel that their companies have no option but to bite the bullet and buy in a solution.

There is a clear acknowledgement of the role the Internet plays as a key leakage channel, with a full 42% intending to plug in technological solutions on that front.

Open question

At the end of each interview we asked European IT managers to give us their full view on any aspect covered by the survey. Here, they again voiced their concern about the absence of a unified internal security approach. In the real world, this hampers the process of opting for a specific solution. Naturally, solution suppliers emphasize their products’ benefits, but the lack of unified standards makes comparison with competitors very inexact.

In addition, there is the issue of budget planning. One respondent put it like this: “We all know how to deal with viruses. You install an antivirus package on the gateways and workstations, and then you can work out how much the licenses will cost over time. It’s that simple! But protection from insiders is different. Each solution supplier has its own view on how best to set up an internal security system. And even among colleagues you find disagreement on this issue.”

Despite these concerns, respondents found that a consensus is beginning to form. This is primarily due to the fact that organizations never cease expanding the number of business communication channels they use: E-mail, Internet, instant messaging services, printed materials, various wireless networks, new network protocols and software. In an environment of ever-expanding means of communication, it is logical that internal security systems not be channel-specific, but provide a scalable solution into which new channels can be assimilated.

With the legislative proposals currently under review by the EC in Europe and the FSA in Britain to oblige companies to immediately inform customers of data security breaches, we see a further step along the road towards confluence, synthesis and consensus on the question of how best to formulate standards on this vital issue.

Conclusions

This report provides the benchmark in pan-European data from IT and information security specialists on the issue of the threat of confidential information leaks. It provides a much-needed platform from which, in future years, we be able to measure tendencies on this issue across the continent.

It shows that, at present, internal data threats (55%) are regarded as more dangerous than external threats (45%) such as hacker attacks or virus infection. The core internal concerns are the theft of confidential information by insiders and employee negligence.

Respondents are acutely concerned about the damage to a company’s reputation and the loss of customers as the result of a leak, with these two issues combined outweighing concerns about direct financial loss by a ratio of 5:1.

We see that 16% of companies have a confidential information protection solution in place with a further 32% planning to implement solutions in the next three years.

We expect the expected confidential data legislation in the EC and by the FSA in Britain to have a galvanizing effect on the pace of fully integrated solution implementation.

¹ Existing EU law requires only that customers be generally notified about security risks, but not about specific instances in which a security breach has occurred. Commission staffers remarked in a June 29 report that a security breach notification requirement “would create an incentive for providers to invest in security without micro-managing their security policies”.

² Brussels, 28 June 2006 SEC(2006) 816, COMMISSION STAFF WORKING DOCUMENT COMMUNICATION FROM THE COMMISSION TO THE COUNCIL, THE EUROPEAN PARLIAMENT, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS on the Review of the EU Regulatory Framework for electronic communications networks and services {COM(2006) 334 final}.

³ The Financial Services Authority (FSA) has the power already to order all regulated financial companies to immediately inform customers of data security breaches. It backs notification in almost all cases, but a blanket rule has yet to been laid down.

Introduction

VoIP (Voice over Internet Protocol) technology is developing rapidly, and Skype is the most popular VoIP product on the market. Skype allows users to reduce telephone charges significantly compared to traditional telephone networks, with no loss of connection quality. A second advantage is ease of use. Users worldwide are up and running in seconds: Simply install Skype and plug in a microphone. That done, one can talk, exchange files, text messages and so on.

However, Skype take-up has gone beyond domestic users – it is also used on corporate networks. This is not surprising when one considers how it significantly reduces the cost of long-distance and international calls and simplifies inter-office and person-to-person communications. On top of that, the utility requires no administrator privileges to set up and use. Employees can download Skype from the Internet for free and simply install it on their corporate workstations. This gives rise to a new problem: The increased Information Security (IS) risk of Skype use in the corporate environment.

The issue of Skype and network security is pressing. It is a widespread program which attracts the attention of both insiders and hackers alike. For example, internal information thieves can steal vital data using Skype. Meanwhile, there is no shortage of examples of hackers probing Skype for vulnerabilities.

The present research is the first Russian study into risk-free Skype use on corporate networks. It had as its object:

• To assess anxiety among IT and IS specialists regarding the use of Skype on company intranets.
• To identify additional IS threats which add to such fears.
• To pinpoint the source of these risks.

Key conclusions

• Skype is the clear leader among VoIP products. Almost half of those surveyed (46.8%) use Skype. If one removes those without any form of VoIP, then Skype takes 64.9%.
• The risk of a leak of confidential information is the greatest threat (55.6%) for a corporate network which has Skype. That is, the survey’s participants fully understand what channels for additional leakage the program presents to insiders.
• Skype itself can not seriously be blamed for these additional risks. The core problem is with the human factor (44.6%) rather than with faults in the program.
• Despite this, almost two-thirds of those surveyed (66.4%) incline to the view that the threats which attend the introduction of Skype into the corporate environment are a serious obstacle to the program’s wider acceptance. Only one-third of specialists (33.7%) felt that IS problems would not prevent the program’s wider acceptance among companies.

Research methodology and survey participant profile

This research was conducted by InfoWatch’s analysis center between 15th and 30th of January, 2007. Survey participants submitted their answers via an online form with 1242 people taking part. Statistical processing and results analysis were carried out by InfoWatch’s analysis center. Percentages are rounded off to the nearest one-tenth of one percent. In the case of some answers, the total percentages exceed 100% due to the use of multiple choice questions.

Survey participants’ IT status

The target participants for this research break down as:

• IS specialists: 37.1%
• System administrators: 34.3%
• Users: 28.6%

This means that around 71.1% of those surveyed are IT professionals.

VoIP use options

In fig. 2 we see the survey participants’ preferences regarding the VoIP programs available. That Skype is in first place (46.8%) comes as no surprise to anyone. It is the first – and some would say the most convenient – program for voice transmission over the Internet. All its competitors together only garnered a quarter of the votes (25.3%). We should mention that slightly over a third of specialists surveyed (27.9%) had no VoIP service on their intranets at all. It is probable that this is a result of the threats associated with using Skype.

VoIP options in the corporate environment

Denis Zenkin, InfoWatch’s Marketing Director says, “Skype’s security problem is very real. Firstly, the program uses its own protocol which is not supported by traditional inter-network screens. Secondly, voice traffic is difficult for electronic systems to filter, and to do it manually is not cost-efficient. The simplest solution is to forbid the use of Skype altogether. But this is no solution since the program is convenient and beneficial.”

Skype threats

The research concentrates for the most part on identifying the risks inherent in using Skype and on their causes. It found that a clear majority of those surveyed sees a whole range of threats connected with the use of Skype (see fig. 3). A mere 5.3% of specialists felt that the use of Skype on a corporate network represented no threat whatsoever.

The greatest risk – according to 55.6% of those surveyed – is the leakage of confidential information. In other words, more than half the specialists felt that as a result of using Skype, confidential corporate information could leak out. The research concludes that the threat of a leak of confidential information is twice as likely (55.6% as opposed to 29%) than a hacker attack on intranet resources.

The center ground was occupied by the following risks:

• Unsanctioned access to information: 37.2%
• Data loss risk: 33.2%
• Threat of malignant program getting to workstations: 31.7%
• Other risks: 7.4%

Threats from Skype

VoIP solutions – and this concerns not only Skype – clearly present companies with a whole range of IS threats. Programs for voice or video communications are sufficiently simple and accessible for insiders to use. Controlling Skype is no easy task since voice traffic is hard to filter automatically. At the same time, the use of attached files presents no difficulty to even inexperienced users. On top of this, as with the majority of software products, VoIP client programs have vulnerabilities which, theoretically, may be exploited.

What is more, in the opinion of InfoWatch’s analysis center, the risk of hacker attack is somewhat less than commonly thought. The most likely explanation is that fear has its roots in past dangers from hacker break-in. Realistically, at the present time, the threat from hackers is not so great. The threat from malware is also exaggerated. Only one instance of a Trojan penetrating a breach in Skype has been established. We remind readers that a virus cannot spread by itself but has to be physically downloaded by the user.

The source of threats

Having established that use of Skype leads to additional IS risks, the InfoWatch analysis center went on to ask its survey participants to indicate the sources of new IS threats (fig. 4). Clearly, apart from factors connected with the Skype program itself, vulnerabilities can arise due to other causes, such as faults in a given piece of software or malignant intent or lack of discipline among users, etc. The findings indicate that the majority of survey participants (44.6%) regards the workforce itself as the greatest source of threat. In other words, it is the human factor which is most likely to result in an IS incident connected with Skype.

The nature of risks arising from use of Skype

The second-highest rating (26.7%) was accorded to faults in Skype’s software environment. Here we mean either vulnerabilities in the operating system, or the means of defence used and any other software application which might lead to an IS threat when run in combination with Skype. At the same time, only 23.4% of those surveyed thought that such issues were the responsibility of Skype’s developers. And only one in twelve specialists (5.4%) thought that Skype represented no IS threat whatsoever.

Thus, VoIP programs may hardly be said to be the root cause of risk. In almost half the cases, either a company’s employees themselves who did not know how to use their tools properly, or those who expressly wanted to steal information were at fault. To summarize, one may say that to stop using Skype is like trying to ban the Internet or e-mail. VoIP is beneficial and convenient, but to prevent the occurrence of the nightmare scenario – the loss of confidential information – companies need to protect their data in the same way as they protect against theft via e-mail, the Internet, printers or USB data-storage devices.

Denis Zenkin says, “Skype represents a unique opportunity to save money on long-distance calls. This means companies have an interest in the use of VoIP. To say that using Skype exposes corporate networks to unacceptable risk is not correct. But there is also no point in denying the risk altogether. However, other network applications (such as e-mail, browsers, and even the operation systems themselves) frequently present more of a threat than does Skype. To deny oneself promising and economically beneficial forms of technology is plain wrong. One needs only to use them correctly and create the right environment.”

Security and Skype

From participants’ feedback (fig. 5) we see that the factor of security is very high up the list of concerns when deciding whether to bring Skype onto a corporate network. Two-thirds of specialists surveyed (66.4%) either felt strongly or tended toward the view that IS threats make the implementation of Skype within a company more problematical. This is a significant number. In addition, as was already noted, the root cause of the problem does not lie with Skype’s technology, but rather with the its incorrect or malignant use. Naturally, any new technology which increases the risk of confidential information leaks will be given a hostile reception. This brings us to a dangerous pass. Without the implementation of advanced, modern technology companies cannot compete. But at the same time, the use of new solutions is complicated by the additional IS threats they may cause.

Do IS threats prevent Skype’s implementation in companies?

To return to the survey’s results, we see that 33.7% of specialists think that the additional risks do not present an obstacle to the implementation of Skype within companies, whereas 66.4% hold the opposite view. The result is that IS risks arising as a result of using Skype are a real obstacle to companies implementing VoIP programs. At the same time, it is hard to call such a view logical since it is the users themselves which are the cause of additional threats. As summary, if one takes the right steps to protect information, then it is unlikely to be leaked via Skype.

Conclusion

The research showed that there is some danger from the use of Skype in a corporate environment. The highest risk (55.6%) is of loss of confidential data. This should come as no surprise since VoIP programs are a convenient means for the misuse of internal data. Here, the threat from hackers (29.0%) and the penetration of malware onto the intranet (31.7%) was significantly overestimated by those surveyed. This was due in some part to traditional fears of computer integrity breaches and of resources “freezing up”. In reality though, the problem of hackers is not so pressing at the current moment and the number of worms and Trojans using voice-conference programs is limited.

At the same time, it is clear that, in principle, no IT instrument can be considered free of risk should it be used incorrectly. And according to the survey, it is the human factor itself which is the primary problem (44.6%) when using Skype. Besides people, the software environment also has a negative effect on security (26.7%). Only 23.4% of survey participants consider the primary cause of breach to be the VoIP client itself.

In conclusion, we can say that almost half of the survey participants think Skype makes the theft of confidential information much easier for those who wish to misuse internal data. And it is true that Skype involves a whole range of new leakage channels. Firstly, there is voice traffic. Just as with a mobile phone, one can make a call on Skype and read out a part of a document’s text. Secondly, there is file transfer. This facet is analogous to sending files via FTP, by e-mail, or ICQ. Thirdly, there is the issue of copying valuable data to the clipboard then pasting it into the chat facility which Skype supports. This facility is analogous to ICQ or Internet chat. However, of all these channels, the only relatively new one is voice traffic. All the other channels can be easily controlled by the same means used to prevent leaks via e-mail, pagers or the Internet. VoIP traffic itself, however, can hardly be said to be a dangerous leakage channel since, while an insider may relay information to an accomplice in this way over Skype, there is a limit to the amount of data which can be transferred in this way. And if a Skype user is in an open-plan office environment there should be no need to worry about leakage via voice traffic at all. Meanwhile, other leakage channels must be monitored or confidential information will soon fall into the hands of competitors or be made publicly available.

The InfoWatch analytical center has published its results for 2006 presenting the first global survey of internal information security (IS) breaches. The goal was to analyze all leaks of confidential or personal data, cases of employee sabotage or negligence, and any other breach of internal IS which had received at least one mention in the mass media during 2006. The survey is truly global since the analysis includes all internal violations regardless of the geographical location of particular company or government structures affected by insider sabotage. Thus, all patterns and tendencies revealed in the survey can be equally applied to companies of all industries and countries.

This survey is the first global project targeted at the study of breaches of internal IS. In 2004, the InfoWatch analytical center began keeping a database of breach occurrences. Today, the database contains nearly 500 entries, 145 of which were added during 2006. This database provided the initial information for the survey.

The results of the survey naturally supplement the conclusions of the wide scale survey Internal IT Threats in Europe 2006 in which InfoWatch questioned more than 400 European organizations. However, unlike the latter project, Global Leakage Survey 2006 identifies tendencies in the development of internal threats of IS and how they happen.

Key conclusions

• For the most part, it is businesses that suffer from leaks of confidential information. According to the survey, 66% of internal breaches occurred in private companies. Moreover, businesses carry the main burden of loss caused by such leaks since a company’s competitiveness depends on its reputation, and reputation is the first thing to suffer in the event of an information leak.
• In 2006, a vast number of people suffered from information leaks. Just 150 breaches exposed 80 million people to identity theft. Many of them are now at risk of becoming victims of swindlers, losing all their savings, or having their credit history ruined forever.
• Every leak of personal information causes million-dollar losses. In addition to financial loss, a company’s reputation is ruined and hundreds of thousands of people face having their identities stolen. On average, 785,000 people suffered from every leak of private information in 2006.
• Organizations which allow their employees to use mobile devices are in a high-risk group. The use of mobile devices led to information leaks in half of all breaches (50%); meanwhile, the Internet was used as a medium for leaks in only 12% of cases.
• The main threat for a business is a lack of discipline among employees. Negligence led to the overwhelming majority of all leaks (77%) in 2006. This suggests that insiders can be found in any company.

The sources of information leaks

A survey of 145 breaches of internal IS shows that information leaks have a global character. One cannot point to any area of business or any particular geographical region where companies have rarely or never suffered from the activities of insiders. Small business and giant corporations, commercial organizations and governmental establishments all experienced cases of information leakage in 2006. Insiders managed to jeopardize the security of such strong and well-protected structures as military and special services. Again, such cases involved mobile devices and the Internet. Often, as a result, top secret information became freely available on the Internet, or ended up in the hands of journalists or foreign states.

Chart 1 shows the distribution of breaches of internal IT security between government and commercial sectors. It is clear that private companies suffer from twice as many data leaks, cases of sabotage and other breaches than government structures. There are several reasons. First, the number of private companies greatly exceeds the number of government organizations. Second, it is easier for government organizations to conceal a leak when one occurs. It often happens that the controlling body is responsible for a breach of internal IS. Thus, we have the problem of lack of control over the controller. Meanwhile, some cases of information theft from government structures become public. This happens when it is simply impossible to hide the incident, or when it becomes necessary to make public example of the offender. For instance, for many years the US government kept quiet about breaches of internal IS. But today, news about information leaks and gaps in security systems is commonplace. One of the latest cases reached the news when the US Tax Inspectorate announced in November 2006 that almost 500 laptops had been stolen over the preceding 4 years.

Commercial organizations, on the other hand, do not just experience a lot of data leaks, but also suffer from the huge losses they cause. The company’s reputation and brand image are significantly damaged by such leaks. This problem is as vital for government organizations. In a competitive market, customers can easily switch to a more reliable supplier, but one has no alternative but to engage with one’s own state and its governmental ministries. Imagine that a tax inspectorate had a substantial leak of private information on companies and individuals. People would be extremely unhappy about such an incident. But nobody can stop using government services in such a case.

The nature of leaks

Insiders have no qualms about what confidential information they steal. However, the survey discovered that personal details are stolen several times more often than any other kind of information (see chart 2). While intellectual property, commercial and industrial secrets are unequivocally very valuable, it is private information that is most valued by insiders.

However, the occurrence of both types of leak – whether clients’ personal details or a company’s confidential information – are very dangerous for a business. The survey clearly shows the number of victims of a personal information leak is usually huge. Chart 3 compares the total number of victims of personal information leaks in 2006 and the average number of victims of each leak. It turns out, that every breach of IS which involves the leak of customers’ personal information exposes approximately 785,000 people to ID theft.

Chart 4 shows the percentage of information leaks based on the number of people affected. The survey reveals that the majority of incidents affected relatively small groups. For example, 33% of information leaks harmed groups of less than 5,000 people, and 28% harmed between 5,000 and 50,000. However, we already know that the average number of victims is 785,000 – which significantly exceeds the figures mentioned above. This is because the average number was greatly influenced by huge information leaks that occurred in 2006. An example which immediately comes to mind in this regard is the information leak from the US Department of Veterans’ Affairs which occurred in May of that year.

How information leaks occur

The most important question is: How exactly does information get leaked? In order to combat information leaks it is important to identify the channels by which data is leaked from a company. Whereas IS specialists may need time to identify such channels, insiders – in most cases – already know exactly what they need to do to steal data. That is why an effective security system must close all possible loopholes. They are as follows:

As we can see, most information leaks (50%) are perpetrated via mobile devices (laptops, PDAs, USB flash, CD, DVD, etc.). Whereas the small size of mobile devices makes them convenient, they can easily be lost or stolen. In the case of accidental loss of media, the confidential information ends up in the hands of a stranger to be used at the finder’s discretion. Whereas, internal fraudsters can easily take out information from the workplace hidden on small media.

The second most widespread channel of information leaks is the Internet (12%). The Internet is less popular than other means since it cannot be used for transferring large volumes of information quickly – something which mobile devices can do. Besides, network filtration makes it easy to identify the insider and prove that an instance of data theft took place. An additional 5% of incidents occurred through incorrectly utilized or lost storage media. E-mail/faxes and standard mail were responsible for 3% of incidents each. 17% of breaches of internal IS happened through other channels; for example, information was leaked as a result of outsourcing to an unreliable partner. In 10% of cases the channel of information leak was unknown.

Insiders motivated by profit make up just one category of dishonest workers. The survey shows that by far the greatest number of information leaks (77%) results from the actions of undisciplined employees. The main reason for breaches of internal IS is failure to observe company policy, or basic negligence in protecting information. For instance, laptops with unencrypted data are quite often lost, despite the fact that company security policy requires all information on mobile computers be encrypted. Moreover, there are cases where people unwittingly perform insider actions, providing confidential information to fraudsters who manipulate them by using methods of social engineering. Once again these results emphasize the fact that any group of workers can contain insiders.

The biggest information leaks of the year

The five most notorious information leaks of 2006 (see table 1) make 2006 the year with the largest volume of information leaks in history. The total number of people who suffered from these five leaks was a little under 50 million.

For example, on May 3, 2006 criminals stole a hard drive from the house of an employee of the US Department of Veteran Affairs. As a result, personal details of 26.5 million veterans and 2.2 million active-duty servicemen fell into the hands of fraudsters.

The biggest leak in Great Britain happened in August 2006. Burglars got into the house of an employee of the Nationwide Building Society and stole a laptop with the company’s clients’ personal information in unencrypted form. 11 million people face the risk of ID theft as a result. Nationwide notified the police at once, but the investigation was fruitless. Three months later the company started sending notifications to the victims.

Other leaks, while not so big, still affected millions of people. One noticeable fact is that in four out of the five biggest incidents the information disappeared from mobile computers. In those four cases, the reason was employee negligence in protecting personal information. For example, in the case of the American veterans, the employee should not have kept secret information at home. An even worse violation of IS was that in all cases the files on the mobile media were not encrypted.

Conclusion

2006 breaks all previous records in terms of the number of breaches of internal IS and the scale of total losses. Several of the biggest leaks in history happened in that year. Among them was the theft of the personal information of 28.7 million servicemen and veterans of the Army from the US Department of Veterans Affairs and also the leak of private information of about 11 million members of the British Nationwide Building Society. All this gives us grounds to dub 2006 The Year of Data Leaks.

The figures of tens of millions of victims and millions of dollars of economic loss are, in themselves, frightening. The example of such careless organizations stands to become a factor provoking other organizations to action. Regardless of all the bad news, however, there are some positive changes in the industry. Managers of companies have started realizing the importance of defending against information leaks. The popularity and massive introduction of new standards and legislative acts help in this regard. It is worth noting that in California, USA, the SC 1386 law has already been in effect for several years and has meant that the problem of leaks has received the attention that it deserves from society, authorities and the press. At the same time, a federal law with the same requirements is being worked on, though we are yet to see specific results. At the same time, there is the prospect of a new European Union directive, according to which organizations will be obliged to disclose all cases of leaks. It is possible that such a standard will appear in one or two years.

Such are the results of 2006. We hope that 2007 will prove to be a turning point in terms of internal threats. At present, the majority of companies have already started paying attention to such breaches in the protection system that allow confidential information to easily leave the organizations’ boundaries. What remains is to find the best solution and introduce the necessary protection systems.