Intellectual property and other sensitive consumer data are seeping out the doors of corporations at an alarming rate -- and the culprits aren't necessarily a cracker with a broadband connection holed up in his mom's basement, or a wiseguy who's Dumpster diving.
Users nestled inside the enterprise firewall with an abundance of unmanaged privileges are most often to blame, according to a soon-to-be-released study conducted by the director of an identity theft program at Michigan State University.
Theories that the insider threat is greater than that of malicious code and crackers have been floated for more than a year, but the Michigan State numbers quantify them in a frightening manner for IT administrators. More than 1,000 identity theft cases were combed and 70% were traced to the theft of sensitive data from inside a company.
"It's hard enough to prevent a valid user on a valid system from doing something bad," said Jeff Schultz, vice president of sales and marketing for Abridean Co. of Westchester, Ill., a vendor of user management and provisioning software. "But it's too easy for someone who does not belong to get access to a system. There's no way to control it, no way to track it or no way to tell if it's actually happening."
A representative of the Michigan State program told MSNBC this week that many identity thefts happened at health care or financial services companies by employees stealing data from other departments. This falls into line with the thinking that users have more access to data and systems than they need to do their jobs.
"People are granted permission to access many applications and IT loses track of it and often there are no audit records," Schultz said.
Schultz added that disgruntled workers who have been fired or laid off by a company often retain access to at least their e-mail accounts for months after their employment has terminated. Former employees are denied network access, but other avenues into the company like Web-based e-mail accounts or mobile devices like PDAs or cell phones are frequently left within reach.
"That opens you up to a number of things beyond identity theft," Schultz said. "The risk then is enormous."
Role-based automated provisioning systems manage system access and provide the audit trails that many companies lack right now.
"IT departments are stretched thin, budgets are tight and staffs have been cut. There's a lot of pressure on IT to focus on fewer new system deployments," Schultz said. "What happens with internal application security is that months may go by without a major incident and you start to say that there's no need to put something in place; it's the squeaky wheel syndrome."
Regulations like Sarbanes-Oxley and HIPAA are also putting pressure on enterprises to implement and enforce security policies that deal heavily with access to sensitive data. C-level executives of public companies are now forced by law to pay attention to the integrity of their data and have adequate auditing capabilities.
"Until a compliance issue or an identity theft arises, often there's no pressure to proactively do something," Schultz said.