A couple years ago, we noted that the old claim that "insiders" were the biggest data breach threat was no longer true, as other threats were becoming a much bigger deal. While that study seemed to use very different methodology, a new study is out that agrees that insiders are a much smaller threat, but notes that outside hacking surpassed "human error" as the cause of data breaches in 2009. While it's good that human error issues are decreasing as a percentage, is it worrisome that outside hack attacks are now becoming such a major problem? The good news in the data is that there were supposedly fewer reported attacks in 2009 (by a pretty large amount) compared to 2008 -- so one possible reading of the data is that people have been effective in preventing things like human error breaches much more often, which is what allowed outside hack attacks to take the lead on a percentage basis. However, with recent stories of things like China's hack attack on Google it seems like we'll be hearing more and more stories about these sorts of attacks for one important reason: in many (certainly not all) cases, they can be quite effective.

We've talked in the past about how those complaining about the supposed "loss" of investigative journalism, if newspapers go away, are wrong. First, investigative journalism of the kind that people think about (i.e., Woodward and Bernstein breaking Watergate) is a relatively new phenomenon, and was not a common part of newspaper journalism until just a few decades ago. Second, very few newspapers put that much in the way of resources towards investigative reporting anyway. Third, there's nothing stopping other organizations from doing investigative reporting -- and we've been seeing a growing range of new online publications that focus on investigative reporting and do a great job of it. But a separate point is that it's often really not the investigative reporters who uncover the story, but the folks involved in the news themselves -- and those folks rarely get credit for providing the info that makes the journalistic effort possible.

Over the weekend, the news came out that the NY Times actually had the Watergate story before Woodward and Bernstein at the Washington Post. The acting director of the FBI leaked it to the Times just before Mark Felt, the associate director of the FBI, leaked it to the Washington Post (and became immortalized as "Deep Throat"). As Jay Rosen points out, this really means the FBI "broke" the story just as much as Woodward and Bernstein did. If there's a story that needs to get out there, never underestimate the folks on the inside for leaking it to get it out there -- and then there will be no shortage of folks to help spread the news. Again (so people don't misinterpret this), I'm not saying investigative reporters aren't needed -- but that not all of the story comes from the reporters themselves. And, on top of that, there are a growing number of publications willing to pick up the slack.

Microsoft is warning that "malicious insider" security attacks are on the rise as the economy churns out more and more disgruntled and/or desperate laid-off workers. Combine this with the high number of data breaches that are blamed on human error, and it's clear that the human factor remains a big problem in IT security. Technology often gets the blame for data breaches and leaks, but it's important to remember that in many cases, it's the implementation of the technology, or the policies behind it, that are to blame. For instance, in the massive TJX breach, a lot was made of the fact that the company's WiFi network was protected only by the easily cracked WEP security standard. But somewhere along the line, a human decision was made not to upgrade to something stronger, while another decision was made to transmit credit-card data without encryption. Whether it's simple incompetence or malicious activity, humans often surpass technology as the weakest link in the security chain.

Every few years or so, we see a story about some disgruntled tech worker who has planted some sort of trojan in a computer network that lets him shut down or destroy the network. The latest just happens to be an employee from the city of San Francisco, and the computer system happens to be its new multi-million dollar system. Even though the guy is now sitting in jail, he's apparently refused to hand over the administrative password needed to regain control over the system. Right now, it appears that he's been able to lock other top administrators out of the system, and officials are afraid that he's actually opened up access to someone else (though that might just be fear mongering). As for what's on the system? "Officials' e-mails, city payroll files, confidential law enforcement documents and jail inmates' bookings" among other things. Just a reminder that while insiders may not be the biggest threat to computer networks, they can still be a threat.

For years, we've been told that the biggest threat to various companies' computer networks doesn't come from outside hackers, but from internal (often disgruntled) employees. However, a new study disputes that, saying that less than one in five security breaches were due to insiders. Business partners are nearly twice as likely to be the cause of an attack, and then outside hack attacks are the largest threat. Of course, what isn't explained is whether or not the earlier data was just wrong -- or if something has changed over the last few years (more outside hacking, better controls on employees, etc.). That would probably be a lot more interesting and useful than just knowing the percentages.