Data breaches: High percentage attributable to lost laptops, just like we’ve been saying
Forty-five percent of data breaches in Australia are attributable to lost laptop computers, reveals this report of Symantec Australia’s Data Loss Prevention Survey. As if that weren’t bad enough, nearly 80 percent of 156 major Australian organizations experienced some form of data breach during the five years immediately preceding Symantec’s survey of them. Additionally, just shy of 40 percent experienced between six and 20 known data breaches during the same time period — and the costs associated with these breaches have been, in many cases, astronomical.
The numbers are, of course, staggering. What’s more, customer records went missing at the highest rate (55 percent), followed by intellectual property (43 percent), credit card details (21 percent) and financial information (20 percent).
And, again, this is just in Australia. What’s the story elsewhere? Well, as far as security is concerned, it’s not that good.
According to a study from the Verizon Business RISK Team of 500 security breaches that occurred between 2004 and 2007, most organizations seem to lack the capacity even to know when a breach has occurred, even though most breaches are seen as easily achievable: Sixty-six percent of breaches, for instance, affect data that the organization does “not know was on the system,” three-quarters of breaches are “not discovered,” and a commanding 83 percent of breaches are “not highly difficult” to conduct.
And, amid the confusion and, frankly, bumbling practices, the number of breaches continues to mount, last month already surpassing last year’s total. Between Jan. 1 and Sept. 30 of this year, the total number of data breaches was 516, according to an ongoing tally by The Identity Theft Resource Center® (ITRC) announced on Oct. 6. The ITRC’s total for 2007 was 446 breaches, which suggested that the final number for 2008 would dwarf last year’s.
So, we have a picture: rampant data breaches; ineffective, nonexistent, or just plain clueless security practices; and laptop computers playing a key role. But security measures for mobile computing equipment don’t have to be difficult or too expensive to implement; they can be as simple and effective as laptop tracking from MyLaptopGPS.
Tags: data breaches, ITRC, laptop theft, laptop tracking, security research
October 27th, 2008 at 2:15 pm
Hi. I read a few of your other posts and wanted to know if you would be interested in exchanging blogroll links?
October 28th, 2008 at 12:05 pm
In the realm of risk, unmanaged possibilities become probabilities: These data breaches and thefts are due to a lagging business culture. As CIO, I’m always looking for ways to help my team, business teams, and ad hoc measures of various vendors, contractors and internal team members. A book that is required reading is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium.”
We keep a few copies kicking around - it would be a bit much to expect outside agencies to purchase it on our say-so. But, particularly when entertaining bids for projects and in the face of challenging change, we ask potential solutions partners to review relevant parts of the book, and it ensures that these agencies understand our values and practices.
The author, David Scott, has an interview here that is a great exposure: http://businessforum.com/DScott_02.html
The book came to us as a tip from one of our interns who attended a course at University of Wisconsin, where the book is in use. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. The real crux of the matter is education and training to the organization as a whole – and a recurring schedule of training – in building a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
I like to pass along things that work, in the hope that good ideas continue to make their way to me.
October 28th, 2008 at 9:04 pm
Mr. Franks,
Indeed, some excellent points. One of the clear factors creating the greatest challenge right now is actually the age-old bane of the system administrator or security officer: user apathy.
Of course, downright maliciousness on the part of users is also a big problem, but it’s much more common to have “benevolently lazy and non-compliant” users than to have many outright malicious ones.
So, as you mention–*laxity* is a very big deal. Users resist security models, practices, policies and procedures designed to protect them and the business. They do what they want to do and get irritated at any hurdle–even such as a password.
There are a number of valid points you raise, and I’d highlight that on at least *one* vector, this apathy issue, we’re trying to address the problem with technology that is:
1) Solid and reliable
2) Effective
AND
3) Unobtrusive
This #3 is more an more important–by protecting users without having to “ask them” first (big oversimplification), we find much more success. And the security officers like that!
Thanks again for the great feedback.