Workplace Education As Important As Data Encryption When It Comes To Endpoint Security: A Calculation.

According to a national survey conducted by ISACA, thirty-five percent of US workers have violated their company’s IT policies.  Sixteen percent have also used peer-to-peer filesharing programs at work.  When put in this context, I guess, it’s not surprising that major companies such as Pfizer and Citigroup had a major data breaches in the past six months.  The survey was conducted via phone and geared to white-collar workers, so depending on the definition of “white collar” the problem might add a couple of more points to the above stats. 

What’s even more eye-popping is that they found that “on average, at a company of 1,000 white-collar employees, up to 70 employees are likely using peer-to-peer file sharing at work often or very often.”


Let’s do some calculations, shall we?  What are the chances that there will be a data breach due to P2P filesharing applications?  First, we must make an assumption.  The assumption is that most people know how to setup P2P programs so that sensitive files are not exposed to outsiders, including accidental mishaps.  I’ll be generous and say that there’s a 1% chance that someone (anyone) might mess up.  I’ll make a second assumption that in the one instance where someone messes up, the corporate network is compromised.  Of course, this doesn’t mean that if two people mess up, the damages are double.  Regardless of one or seventy breaches, the damages are the same (and out of the scope for this exercise).


If you’ve taken some basic statistics classes (and understood what was going on…I can’t claim that I did, not all the time), you know that there are multiple ways to accommodate the breach.  One person made an error.  Two people made an error.  Three… ad nauseam.  So, the chances of a data breach are actually quite high, and almost impossible to calculate one by one, then sum them up.  In such instances, what people do is calculate the opposite: what are the chances that no one will make a mistake, then subtract it from 1 (i.e, 100%).  For example, the chances of throwing a 1 when rolling a die are 1/6.  The chances of not rolling a 1 must be 5/6 (or, 1 – 1/6).  In our P2P case, the difference is the total chances of a mess-up scenario.  (The total, since it doesn’t matter if one person messes up or all seventy mess up, and all scenarios contribute towards the network breach.) 


Well, the chances of no one making a mistake is (0.99) * (0.99) * (0.99) * and so on, seventy times, or (0.99)^70, since we’re dealing with seventy people, and there’s a 1% chance of someone messing up (meaning that there’s a 99% chance of someone not messing up).


1-(0.99)^70  =  0.505 or 50.5%


In other words, there’s a slightly better than a 50% chance that you will have a network breach.  If you run the above exercise with all 1000 employees, you get a 99.996% probability of a breach.  (It will never reach 100%, since there’s the slightly probability that all 1000 employees setup their P2P software correctly.)  Remember, this is assuming that people know what they’re doing 99% of the time.   


Of course, the assumption is generous.  I know people who know what they’re doing 0% of the time, and when you consider all the horror stories you hear from the guys (and gals) manning the support desks, I’m pretty sure the zero-percenters can be found in all businesses.  The chances of a breach shrink to approximately 10% when 11 people, not 70, run P2P software.  Notice the disparity, the effect a small number of users can have?  Out of 1000 employees, 1.1% of the people account for a 1-in-10 chance of breach.  And 70 people (7% of the employees) account for over a 50% chance of a breach.


In our original calculation, if the breach ends up costing $1 million, you can expect to pay that amount due to a security breach sooner than later.  I can assure readers of this post that solutions for minimizing risk can be had for much less than that one hundred grand.


Some will point out that the above is not realistic, it’s too simple.  I agree.  As anyone knows, real life is more complicated.  Which implies more points of failure, in addition to the need to lower the generous 99% “people-know-what-they’re-doing” rate I gave in the above example.  If anything, not having the correct safeguards shoot the chances of a breach to well over 50%.


What can an IT guy do?  Well, a little education goes a long way.  Some people are not aware of how Trojans and viruses work, how easy it is to allow malware to get embedded into computers.  Others are not aware how the action of a few can have such debilitating repercussions.  A simple calculation like the one above can illuminate the reasons why computer policies are in place.  Also, when all else fails, he or she might consider setting up white lists for which applications can run on the computer in the network.  This way, employees can attempt to ignore company security policies, but they won’t be able to install any software that is not approved by the IT department to begin with.


With a service such as AlertBoot, application control can be easily set up and deployed across a network.  Plus, you can get whole disk encryption for minimizing the chances of a data breach if computers and laptops are stolen, and control which devices can be hooked up to a computer (mouse to a USB port?  OK.  USB drive to a USB port?  Not OK) based on the user.

Comments (0)

Let us know what you think