Internal Security Threats Are Significant Problems

Customer service representatives at one of the nation’s largest credit reporting agencies work in a sterile room. “No cell phones or purses can be brought in,” said Steve Ely, president of Personal Information Solutions for Atlanta-based Equifax. “No one can carry a thumb drive, or even pencil and paper.”

The idea is to safeguard personal information: at Equifax, customer service representatives routinely handle goldmines of consumer information. Taking away the tools a dishonest employee could use to copy it down is just one way the company prevents data from leaking out.

It’s a prudent move, at least according to a new national security and privacy survey, and a matter of concern for all real estate professionals and their clients. Commercial real estate companies are routinely entrusted with significant amounts of personal data on buyers, sellers and third-party entities, including existing tenants in a property for sale. “Real estate transactions are activities full of information that would be beneficial to an online criminal seeking to steal identities for fraud purposes,” explains Tim Callan, vice president for SSL product marketing at VeriSign, a Mountain View, CA-based company that operates a diverse array of network infrastructure. “and Internet users are aware of this fact. That awareness leads to reductions of online businesses people are willing to undertake.”

And specific niches of real estate have particular concerns. Consider, for instance, hotels. Customers expect that they can trust hotels with their personal information, said Lynn Goodendorf, vice president, information privacy protection for InterContinental Hotels Group, the Americas. Research shows that people have increasing anxiety about credit-card fraud and identity theft, Goodendorf said.

So the new survey, which warns of potential internal threats, gives CRE pros something to consider. Sponsored by CA Inc., an Islandia, NY-based IT management software company, and conducted by The Strategic Counsel in Toronto, the survey found internal security threats are now bigger problems than attacks from external sources. At the same time, the number of U.S. organizations reporting loss of confidential data and reduced customer satisfaction has increased by 55% and 65%, respectively, in the past two years, the CA 2008 Security and Privacy Survey concluded.

A total of 500 telephone and online interviews were conducted with chief security officers, chief information officers, chief technology officers and other senior executives responsible for IT security at a random sample of large US firms and organizations. The survey is a follow-up to one conducted two years ago. Between mid-2007 and mid-2008, more than 34% of organizations reported a loss of confidential information because of security attacks and breaches, up from 22% two years ago. It’s eroding customer satisfaction, reducing productivity and leaving many companies publically embarrassed, the survey found.

While other major security attacks are declining, internal security breaches are steadily increasing, the report found. About 44% of survey respondents identified internal breaches as a key security challenge in the 12 months preceding the survey, up from 42% in 2006 and 15% in 2003. “Conversely, the number of respondents reporting virus attacks in the 12-month periods preceding the 2006 and 2008 surveys decreased from 68% to 59%, network attacks from 50% to 40%, and denial-of-service attacks from 40% to 26%,” the survey found.

Lina Liberti, vice president CA Security Management, says the survey demonstrates the severity of the consequences of a data breach. “The implications are now tied squarely to dollars and reputation,” she says. “The potential aftershocks of an internal breach have the attention of both the business and the IT organization, and for enterprise organizations the priority has now shifted from reactive to proactive security strategies to deal with this threat.”

Companies are spending increasing amounts of their IT budgets on security compliance, both to meet government regulations and mitigate risk. The survey reported, 57% of respondents reported that their IT organizations spend 20% or more of their time on ensuring IT security compliance, and 56% indicated their organizations spend 20% or more of their IT budget on ensuring IT security compliance. But 32% of US security executives believe their own organizations spend too little on IT security.