IT Productivity Center

Security Procedures vs Cyber Attacks

rss@itproductivity.org — Wed, 08 Jul 2009 11:39:35 -0600

Cyber attacks target the computer or telecoms networks of critical infrastructures, such as power systems, traffic control systems or financial systems. What many have assumed is the worst thing you can do is shut things down. That is not necessarily the case. Many times the worst thing you can do, for example, is open a valve -- have bad things spew out of a valve.

Government and industry including the stock market are facing massive cyber attacks. While the source of the attacks was not pinpointed, officials said they suspected the attacks originated in North Korea or from groups sympathetic to North Korea. Law enforcement officials in the U.S. and South Korea have stepped up their efforts to halt the denial of service cyber attacks.

In the U.S., some government agencies including the Treasury Department, the Transportation Department and the Federal Trade Commission were down for much of the July 4th holiday weekend.

Internet Misuse Concerns CIOs

rss@itproductivity.org — Tue, 30 Jun 2009 10:22:31 -0600

When employees and enterprise associates misuse the Internet there are ramifications for and to your enterprise:

Higher operating expenses and reduced productivity
Exposure to security problems such as malware
Exposure to legal risks due to inappropriate material
Wasted bandwidth to support the misuse
Unlicensed software when users download and install software from the internet
Reputation risk from social networking which can create opportunities for employees to leak confidential information or spread damaging rumors online

Expenditures Closely Watched by CIOs and CFOs

rss@itproductivity.org — Thu, 18 Jun 2009 11:14:33 -0600

In today's economy, all purchases are carefully scrutinized to ensure that each new piece of hardware and software can produce a rapid return on investment (ROI). However, even attractive and accelerated paybacks are not enough to justify additional expenditures as cautious CIOs and CFOs must continue to slow their technology spending in order to ensure weathering the current economic conditions.

According to an annual survey of top CIOs from multinational Fortune 1000 companies conducted by Goldman Sachs & Co., networking equipment emerged as one of the greatest potential areas for cost reductions in 2009. The CIOs surveyed also indicated an intensified focus on projects involving total cost of ownership (TCO) reductions, such as server virtualization and server consolidation. Faced with severe budget constraints, many CIOs also are delaying product upgrades and technology refreshes, despite the fact that OEMs continue to release next-generation products in increasingly rapid-fire succession.

As a result, increasing numbers of corporations are embracing asset recovery strategies as part of their recession survival tactics. Corporate network budgets, in particular, can be willing recipients of a welcome boost from asset recovery since high-end routers and switches retain more value than many other types of hardware. The keys to maximizing the value of surplus technology in a down economy are determined by how, when and where to offload unwanted gear as well as identifying the partner that can offer top dollar for extraneous equipment along with unparalleled responsiveness and superior customer attention.

Metrics Key to CIO Success

rss@itproductivity.org — Wed, 10 Jun 2009 14:06:25 -0600

CIOs frequently ask what IT should measure and report to business executives. The key to success is choosing a small number of metrics that are relevant to the business and have the most impact on business outcomes. The basis for metrics that work are that they meet the criteria for relevance and impact are investment alignment to business strategy, business value of IT investments, IT budget balance, service level excellence, and operational excellence.

Metrics should form the core of an IT performance scorecard and should center around:

Alignment of IT initiatives, investments, and operational support to the strategy of the enterprise
Value added that IT brings to the enterprise
Cost of new initiatives versus the cost of maintenance of existing processes
System availability and ease of use
Health of systems and IT function

Easier to Cut Salaries than Lay-off Staff

rss@itproductivity.org — Thu, 04 Jun 2009 14:04:13 -0600

Here's the good news: While companies certainly have laid off huge numbers of employees since the economy first started to implode, it appears many of them are doing everything they can to minimize the number. From the Challenger, Gray & Christmas, Inc. press release:

... employers announcing job cuts have initiated more cost-cutting measures than employers that have not cut payrolls. Companies that made permanent job cuts averaged an additional six cost-cutting measures. Meanwhile, companies that have avoided layoffs averaged less than three cost-cutting measures.

"There is a perception out there that some companies have not made sufficient efforts to avoid layoffs by making cutbacks in other areas. This perception is fueled, in part, by a handful of examples of companies announcing job cuts while, at the same time, rewarding top executives with large salaries, bonuses and extravagant perks. However, these examples represent the exception," said Challenger chief executive officer.

"It would also be a mistake to assume that companies avoiding layoffs are doing so out of kindness. While forging good will is certainly part of the decision for some companies, many have simply cut to the bone already or never fully ramped up after the last downturn. Other companies may have more workers than they need for current business levels but are reluctant to enact widespread layoffs, knowing that a recovery will mean recruiting and training all new workers.

"This may be why we have seen an increase in the number of companies cutting salaries and other perks. It is a lot easier to restore compensation and benefits than it is to re-hire and re-train workers when the economy improves."

PCI Compliance Has Benefits Beyond Mandated Requirements

rss@itproductivity.org — Tue, 02 Jun 2009 09:34:31 -0600

PCI compliance is used as a basis for guidance on fulfilling management responsibility in relation to audits, and information on ensuring continual improvement of IT security efforts. There is merchant confusion about all of the PCI DSSs six main themes: Building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, monitoring and testing networks, and maintaining an information security policy.

PCI as a robust security standard has potential benefits beyond its immediate requirements. A generic application of its principles can fulfill other regulatory requirements for information security and privacy. PCI compliance is mostly information security best practices. However, there is quite a bit of devil in the details of the PCI requirements. There are over 250 detailed testing procedures.

Penalties for noncompliance include higher transaction processing fees, fines, and, in extreme cases, denial of credit card processing capabilities. Violators also face legal fees, civil lawsuits, customer rejection and related revenue loss, and other costs and losses. Understanding the PCI authority structure is important in maintaining control over PCI strategy and audits.

The PCI DSS security requirements apply to all "system components." A system component is defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (internet) applications.

Virus Targets Federal Law Enforcement

rss@itproductivity.org — Mon, 25 May 2009 09:37:27 -0600

Federal law enforcement systems have been targeted by a virus. The FBI and the U.S. Marshals Service were forced to shut down parts of their computer networks after a mystery virus struck the law-enforcement. The virus' type and origin are unknown, but spokespeople for both agencies said agencies' access to the Internet and e-mail was shut down while the issue was evaluated.

The U.S. Marshals confirmed it disconnected from the Justice Department's computers as a protective measure after being hit by the virus; an FBI official said only that that agency was experiencing similar issues and was working on the problem.

In addition to their external networks, most federal law enforcement agencies have an internal-only network to prevent cyber-snoopers from sensitive data. Government regulations require agencies to report any security issues to US-Computer Emergency Readiness Team (US-CERT).

To protect networks and information against increasingly sophisticated threats, many organizations are deploying security in layers. Some are finding that an efficient way to do this is by using unified threat management (UTM) appliances.

Office 2000 is at End of Life

rss@itproductivity.org — Thu, 21 May 2009 15:44:04 -0600

Microsoft told Office 2000 users that it will discontinue security updates for the aged suite in July as it drops all support for the software.

At the same time, the company also reminded users that it's dumping the Office Update site at the end of July, part of an effort to streamline update options.

Office 2000 falls off the support list on July 14 -- which is also Microsoft's "Patch Tuesday" for that month -- as it leaves what the company calls "extended" support. From that point on, Microsoft will no issue fixes, not even ones for critical vulnerabilities; instead, it expects users to move on to a newer suite.

By policy, Microsoft supports business software such as Office for a total of 10 years, half in "mainstream" support and the second half in the more limited support. Security updates are delivered for the entire 10-year stretch.

Microsoft launched Office 2000 in June 1999.

Security Risk Faced by Business Due to Lost of Laptops

rss@itproductivity.org — Mon, 18 May 2009 15:39:11 -0600

Anytime and anywhere employees, temporary employees and contractors can access and store enormous amounts of confidential data about customers, employees and their organizations operations on laptops. When these laptops are lost due to negligence or theft, the data is at risk if the organization has failed to use such safeguards as encryption or anti-theft technologies. Janco recommends implementing and monitoring strong Security Policies and Procedures.

Most executive managements and IT professionals believe the risk of having lost or stolen laptops will most likely increase or stay the same (i.e., not improve) over the next 12 to 24 months.

Business Record Management is Difficult at Best for Many CIOs

rss@itproductivity.org — Tue, 05 May 2009 10:16:25 -0600

Several studies have found that knowledge workers spend between 15 and 35 percent of their time finding information. The requirement to find information quickly and easily makes search technology a practical and essential tool with a measurable return on investment (ROI).

However, search engines are optimized to search web pages and documents and they still fall short inside the enterprise when you consider the additional IT assets stored in applications and other real-time sources of information like databases and ERP Systems. These systems remain "unsearchable" by many current search solutions and largely remain the domain of operational reporting and business intelligence software.

IT Metrics

rss@itproductivity.org — Mon, 04 May 2009 17:01:32 -0600

The average company that spends about 1.5% (varies by industry) of its revenue on IT and you are spending a significant amount of money on IT personnel. Personnel expenses account for the largest segment of your IT operational budget. Considering both employees (43%) and outside contractors (7%), the average cost of personnel in the IT operational budget is about 50% according to Computer Economics. The majority of the IT staff spends approximately 80% of their time on:

Application maintenance and support
QA and testing
Application development and migration
Technical and database support
Helpdesk support

The remaining time is spent primarily on desktop, network and security support.
Moreover, the average IT operational budget for application software is about 14.5%. 70% of the average application software budget is spent on application maintenance and support, while about 30% of the application budget is spent on new development.

What you should do when you get a new job as CIO

rss@itproductivity.org — Mon, 20 Apr 2009 16:50:53 -0600

The first few weeks on the job set the tone for your long term success or failure in your new job. Her are some things that you may consider as "must do's" in you first 100 days.

Develop relationships - Learn the culture - On the first few days on the job you should spend over 50 percent of your time outside of your office listening to the people who are there. Go to lunch with your peers, direct reports, superiors, and key players in your user community.
Get away from the IT Department - You have replaced someone who either was a star or a "loser" understand why your predecessor succeeded or failed and why. Your user community will tell you and at the same time you will an insight in their mind set are as well as how easy or difficult it will be to deal with them.
Get an independent assessment of the IT function - Everyone has their own opinion of how good (or bad) the function is, your job is to quickly gain an understanding of it. By using a third party you can insulate yourself from calls that there are disagreements. You in essence become a tie breaker and can show that you are in charge.
Learn the infrastructure - Understand how things are done, review job description, review the chage control process, and understand the prioritization process.
Develop a plan which will let you create some wins quickly - This will be one of the only times that you can set the agenda and at the same time you can get yourself some breathing room. Be careful to not over commit.

Tweeter and Other Applications Put Enterprise at Risk

rss@itproductivity.org — Fri, 17 Apr 2009 05:31:44 -0600

E-mail and instant messaging (IM) afford easy to use communication and collaboration by taking advantage of the Internet's abilities, but they require networks to allow a certain amount of un-controlled internet access in order for these applications to function. IT administrators must keep their enterprises connected, yet safe, by enacting measures that allow them to monitor what comes in and goes out via Internet protocol (IP) traffic. With good management CIO have the right tools in place so IT administrators can detect threats before malicious code can take root in the network. Securing the network does not mean removing all contact with the outside world.

Because e-mail and IM applications are operated by individual users who can make bad calls on which files are safe to open, network defenses can be circumvented. Viruses sent via e-mail spread very quickly, overcoming workers computers and creating unplanned Disaster Recovery activity for IT departments.

As quickly as e-mail viruses spread, IM worms spread even faster. Although an e-mail virus can send itself to entire address books, they require some action by the user before the malware is activated. IM applications, however, are open channels, and a link or file pops right into someones desktop from a friend or colleague.

The business world is dependent on e-mail. More businesses are starting to rely on IM in their internal and external communication strategies. These platforms are not going away anytime soon. So, to take advantage of them and stay connected, spam filters and antiviral measures that scan incoming and outgoing e-mails address part of the security risk. Add IM management software and integration with firewall, secure remote connectivity, intrusion detection and prevention, and youre well on your way to a productive, safe network for your business.

Metrics are the key to a CIO's Success

rss@itproductivity.org — Tue, 14 Apr 2009 13:00:02 -0600

Metrics and the other ways to measure performance are very popular among CIOs and IT Managers. Almost every aspect of a computer's performance can be and is measured, however when it comes to service metrics for IT personnel and organizations this is one area that companies pay close attention to.

Computers or machines are easier to measure since there are little to no subjective factors. But with organizations, and especially with people, the subjective factor becomes more and more important and frequently, even if the best methodology is used, the results obtained from metrics are, to put in mildly, questionable.

Who Needs IT Service Management Metrics

Metrics are used in management because they are useful. Metrics are not applied just out of curiosity but because investors, managers and clients need the data.

There is no doubt that metrics are useful only when they are true. I guess you have heard Mark Twain's quote about "lies, damned lies, and statistics" (or in this case - metrics). True metrics are achieved via using reliable methodologies. It is useless just to accumulate data and show it in a pretty graph or in animated slideshow. This might be visually attractive but the practical value of such data is null.

However, even when the best IT Service Management metrics methodology is used, deviations are inevitable. Therefore, one should know how to read the data obtained from metrics. It is also true that metrics, including IT Service Management metrics, can be used in a manipulative way, so one should be really cautious when he or she reads metrics and above all - when making decisions based on these metrics.

CIO face compliance issues with older unsecured PCs

rss@itproductivity.org — Sun, 05 Apr 2009 15:29:37 -0600

Enterprises of all sizes are hesitant to replace f existing notebook PCs due to the reluctance to spend money, and the cost of migration.

There is substantial pressure and scrutiny on all IT expenditures. However, despite this increased attention, organizations must still comply with ever more strict privacy and audit demands. One of the areas that need the most attention is the unsecure notebook PCs population that is at high risk of theft or loss. The amount of data and the ability to access corporate systems places old notebook computers among the greatest risks that an organization faces.

With the cost of hardware plummeting, and the cost of compliance issues and breaches skyrocketing, "saving money" by running a risky end-user computing environment may not make sense. CIOs can and should make the case for the twin benefits of meeting compliance and audit demands, while reducing operating costs by deploying new laptops for your mobile workforce.

Search Engines Part of Enterprise Infrastructure

rss@itproductivity.org — Wed, 01 Apr 2009 00:03:42 -0600

Recent studies have found workers spend between 15 and 35 percent of their time finding information. The requirement to find information quickly and easily makes search technology a practical and essential tool with a measurable return on investment (ROI). However, search engines are optimized to search web pages and documents and they still fall short inside the enterprise when you consider the additional IT assets stored in applications and other real-time sources of information like databases and ERP Systems. These systems remain "unsearchable" by many current search solutions and largely remain the domain of operational reporting and business intelligence software.

Drivers of Strong Security Policies and Procedures

rss@itproductivity.org — Tue, 17 Mar 2009 12:32:29 -0600

There are strong security implications and relationship between mandated compliance (Sarbanes-Oxley, HIPAA, ITIL, and PCI-DSS), sensitive information protection, and theft recovery. Organizations must consider all of these factors when defining security policies. It is no longer enough to attempt to address compliance issues without addressing data protection. Protection of sensitive information on mobile and remote computers requires an understanding of the issues surrounding computer theft and transmission interception. Having a broader understanding of how these areas inter-relate allows organizations to build a more robust security policy that addresses the issues of regulatory compliance, sensitive information protection and theft recovery.

Today, accepting the loss or theft of one laptop, PDA, SmartPhone, USB storage device, or tablet computer is simply not an option. A missing device can result in compliance and sensitive data protection issues that may be very costly to an enterprise's reputation and bottom line. Enterprises need to be able to accurately track their computers, know who is using them, what is installed on them, and be able to prove the actions taken to secure computers remain deployed and intact until the computer can be located.

Government Sites Source of Many Massive Data Breaches

rss@itproductivity.org — Mon, 09 Mar 2009 13:46:23 -0600

The Federal Aviation Administration (FAA) was doing such a good job at protecting data in its computer systems that the Office of Management and Budget chose it in January to be one of four agencies to guide other federal agencies in their cyber security efforts.

The FAA announced the theft of personal information on employees and retirees. Two of the 48 files on the breached computer server contained personal information about more than 45,000 FAA employees and retirees who were on the FAAs rolls as of the first week of February 2006.

The server that was accessed was not connected to the operation of the air traffic control system or any other FAA operational system, and the FAA has no indication those systems have been compromised in any way.

Challenges for CIOs

rss@itproductivity.org — Tue, 03 Mar 2009 17:32:42 -0600

As the economic recession continues to deepen, double-digit budget cuts, hiring freezes and layoffs are becoming a fact in many IT departments. However, some CIOs are managing to keep both their staffs and their rosters of ongoing IT projects largely intact - due partly to a desire on the part of business executives to use technology to reduce corporate costs and boost revenues.

CIOs are now challenged more than any time in the past with the economic earthquake around the globe CIOs have to be smarter, creative and innovative. The only way for CIOs to survive the world economic reset in a knowledge age is to capitalize on our human capital, put their staffs creativity to work, stoke our innovative furnace. There are many ways to fuel the creative fires - from management techniques, to team building, and effectively leveraging existing and emerging technological investments. However, the key is infrastructure. CIOs that have a one that address metrics, change management, version control, system development methodology, service management, and human resources have a better chance to make it through these tough times.

Secrutiy Policies to Protect Against Data Breaches

rss@itproductivity.org — Mon, 23 Feb 2009 14:10:32 -0600

In a world driven by PDAs, laptops, and Internet connectivity, data breaches are common and costly. The cost per record of a data breach has gone from $138 in 2005 to $202 in 2009 according to the Ponemon Institute in its fourth annual U.S. Cost of a Data Breach Study.

Privacy violation statistics indicate that the number of incidences and costs associated with data breaches are increasing steadily, proving that organizations across industries need to take a more pragmatic approach for protecting information, especially in highly vulnerable non-production (development, testing and training) environments. Data in non-production can be more susceptible to a breach when it is used in development and testing activities, accessed by mobile employees or outsourced.

There are a number of best practices action steps that should be followed:

Define responsibilities as to who is the center post in security for data.
Define privacy and security requirements for your enterprise
Inventory data, both electronic and physical
Implement policies, procedures, and process to secure data
Test robustness of policies, procedures, and processes
Review at least annually

Productivity Metrics Defined

rss@itproductivity.org — Wed, 18 Feb 2009 08:48:13 -0600

Disengaged employees produce an average of 50% less revenue than an engaged employee. By knowing who is on board, who is not and why, you can invest in areas that have the greatest impact in the shortest period of time. Increased productivity provides a greater return on your payroll investment.

At the heart of an improved productivity is an effective Service Level Agreement (SLA) and performance metrics process that:

Measures the right performance characteristics to ensure that the client is receiving its required level of service and the service provider is achieving an acceptable level of profitability
Can be easily collected with an appropriate level of detail but without costly overhead
Ties all commitments to reasonable, attainable performance levels so that "good" service can be easily differentiated from "bad" service, and giving the service provider a fair opportunity to satisfy its client.

The Metrics for the Internet, Information Technology and Service Management HandiGuide® is over 300 pages, defines 540 objective metrics, and contains 83 metric reports that show over 240 objective metrics. Order Now

Billions for Security in Stimulus Package

rss@itproductivity.org — Sat, 14 Feb 2009 16:13:10 -0600

The economic stimulus package includes hundreds of millions of dollars for various IT and physical security projects. Scattered throughout the 1,500 page Senate bill are various spending items targeting physical and IT security needs. Among them are the following:

$400 million for a proposed headquarters complex for the DHS
$250 million will be available to planning, design, IT infrastructure, fixtures and other costs related to the consolidation of the DHS headquarters.
$99 million will be available to bolster the ability of the federal government to detect, respond and mitigate cyber threats.
$120 million for designing and building new backup and disaster recovery capabilities for unspecified mission-critical operations.
$200 million for a border security fence, infrastructure and technology for securing the nation's southwest border.
$28 million for the purchase of tactical communication equipment and radios for border security functions.
$100 million available to buy and deploy "non-intrusive" inspection systems at U.S. ports.
$200 million for explosives detection systems.

What leaps out is that none of that seems stimulative, it all seems like items that didn't make last year's budget.

Insiders are responsible for 70 percent of security incidents

rss@itproductivity.org — Mon, 09 Feb 2009 16:49:22 -0600

Experts estimate that insiders are responsible for 70 percent of security incidents that incur losses. With the average cost of a single internal data breach estimated at $14 million, companies are looking beyond protecting network perimeters from external threats. Many enterprises are implementing solutions that guard against the insider threat by delivering unified protection of data wherever it is stored or used.

One of the first steps is to have formal policies and procedures in place on what is sensitive information and how it is to be protected. Janco Associates has a sensitive information policy in WORD.

This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data. The template is 29 pages in length and complies with Sarbanes Oxley Section 404, PCI-DSS, ISO 27000, and HIPAA. The PCI Audit Program that is included is an additional 50 plus pages in length.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).

The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates.

Disaster and Business Continuity Planning Pit Fall

rss@itproductivity.org — Sat, 07 Feb 2009 09:33:45 -0600

In these turbulent economic times, it is easy for many of us to forget the basics and fall into the trap that disaster and business continuity planning are an optional activity. Here are some common pit falls to avoid.

Not having an adequately documented Disaster Recovery / Business Continuity Plan - Not having a plan is fatal - having a plan that does not cover all the bases in a step-by-step manner can be worse because of a false sense of security that it would provide.
Having your plan only in an electronic version - Be sure to store the documentation at multiple locations and verify that all key personnel have easy access to the manuals.
Not foreseeing all of the disasters that can occur - Focus on location and geography. Do you live on an earthquake fault, tornado belt, or in a flood zone? How stable is the power source are there frequent interruptions from thunderstorms or rolling blackouts?
Having a plan that only a few people are trained or know about - What if those individuals who are trained are not available? Train as many employees as possible and see that they are geographically dispersed in case of a large environmental disaster that affects all local employees.
Depending on one communication channel to notify staff a disaster has occurred - Relying on single telephone tree to notify staff during a disaster. If the power goes out in your facility and no one is there to report it, will your disaster recovery/business continuity staff be informed?
Not having enough backup up power to cover an outage of several days - My disasters last several days if not weeks. Not having enough power may limit your ability to move key resources out of the disaster region.
Not knowing what is critical to operations - What is needed to keep the enterprise running? Are there some functions and systems that you can operate without for several days?
Not testing the adequacy of your backups - It does not matter how good your plan is if your backup data is not adequate to meet the task. Testing the media and processes regularly cannot be stressed enough.
Not testing your plan - Regularly conduct data fire drills to test every possible scenario, from basic power failures to catastrophic events that could result in multiple months of devastation.
Not have necessary passwords and software keys - Password protection is a key goal for data security, you need to store your system passwords and software keys in several geographically separate, secure locations. Make sure that more than one IT staff person has to these and that these passwords are promptly changed / tested when key personnel leave the company.
Not having an up-to-date plan up to date Have at least one individual responsible for updating your plan. Revisit the plan at least on a quarterly basis.

Lay-offs Increase Risk of Data Breaches

rss@itproductivity.org — Sat, 31 Jan 2009 12:43:25 -0600

According to the IT Productivity Center cyber-crime rates traditionally spike during in economic recessions. Layoffs fray employee and contractor loyalty, and there certainly is money to be made selling all kinds of corporate data. As thousands of workers and contractors being laid off or terminated each week lately, there is an incentive for laid-off employees to take intellectual property with them to bolster their chances of getting hired with a competitor, to use with a start-up company of their own, or maybe even to sell.

Laid-off employees and terminated contractors are a serious security threat in an economic downturn. In a McAfee Inc. worldwide survey of 1,000 IT decision-makers, the company found that 42% of respondents felt that laid-off employees represented the biggest IT security threat caused by the recession. That is more than were worried about outside intruders. And 36% said that they were worried about security problems caused by employees in financial stress.

Sources for data breaches include:

USB drives - small portable and are one of the most underestimated sources of data leaks
Printed reports - traditional file dumps of sensitive information are large but easily used by non-IT types.
Web pages - customer and order history accessible by someone with a password and userid that provides access to anyone anywhere.
Back-up Media - this is the pot of gold, it has everything and all person needs is a way to access it.