The calculator can be found at DataBreachCalculator.com. Our tip: give it a try, then consider the cost of non-action.

But while the devices proliferate, their capabilities increase, and that actually brings a significant risk, since a single smart phone with a meager 8 GB of storage can carry enough proprietary, secret, sensitive, or otherwise private data to just about destroy a business–when the phone falls into the wrong hands. Thus, businesses and consumers alike are waking up to the risks of those handy gadgets.

Businesses must lead the way in managing the risk, and Paul Korzeniowski over at InformationWeek has a nice, short article entitled “Five Steps to Managing Mobile Devices.” It’s worth a read, and business owners and managers must start by getting over the psychological hump–you can manage the devices or, at the very least, you can make some decent headway to at least reduce your risk.

Here are Korzeniowski’s steps, in summary (please read the full article):

Step 1: Inventory Employee Mobile Devices

Step 5: Move To More Sophisticated Applications

Once again, here’s that link to the full article–worth a few minutes’ read. And, while we’re at it, it’s worth noting that insuring these devices is a very, very good idea as well. And it’s very affordable. See MyLaptopGPS Premier Partner Safeware Insurance for more information.

But given recent legislation dealing with data breach notification requirements, why might it still be true that many breaches either don’t get reported at all, or get a bit “under-reported” inasmuch as they provide few, if any, details and numbers about the breach (such as the number of individuals affected)?

The article claims that the ITRC (Identity Theft Resource Center) believes that the fact that some states now harbor a “protected” breach list that is not made public at all, or is only accessible via an official Freedom of Information Act request, is one cause. Similarly, for medical data breaches, the US Department of Health and Human Services has created a “risk of harm” threshold for notification requirements, which has been contentious since it was first introduced, with opponents claiming that it removes the very core incentive of data breach notification requirements: incentive for organizations to protect data in the first place, lest they have to report a breach.

Furthermore, in many cases organizations are allowed to do their own assessment of the “risk of harm.” Could this be akin to letting a convicted criminal sentence himself? Perhaps.

In any case, the article helps identify some very likely causes of continued data breach under-reporting, which in turn helps reinforce the claim that it’s really worse out there than most people realize. Ignorance may not be bliss.

A nice summary article can be found at NextGov (thanks to Jake K at DataLossDB for that tip). According to the article, the White House review found that “quantifying the value of protection motivates organizations to address vulnerabilities.” And when it comes to crunching numbers, especially with dollar signs attached, the CFO is typically front and center. The message of the guide is clear and very well underscores the growing realization, worldwide, that data security is actually not “an IT issue.”

In many organizations–in fact in most organizations–the security of data is referred to the “IT department.” It is true that IT tends to be the proper group to actually implement protections. But what tends to happen, before solutions can even be discussed or pursued, is called the brick wall of “funding” or “budgetary appropriations.” Quite simply, IT isn’t given the money or the clout to really deal with “data security” and, lacking the leadership and key sponsorship of the CFO, it fizzles. A few steps may be taken but, far and away, the priorities fall elsewhere.

Back to the guide, or “handbook,” the cost estimates included are helpful to make the point that this is indeed a business-wide decision. Here’s an excerpt from the NextGov article:

The publication estimates a data breach of 10,000 records containing personal identification information would cost about $1.6 million, assuming the company carried breach insurance with an 80 percent coverage of direct costs. That sum includes direct expenses for investigations and forensics, consulting services, notification of affected individuals, public relations, legal defense, and credit and identity monitoring — as well as the indirect cost of lost business. The handbook cites several analytical models to help chiefs assess costs and benefits.

Steps to bolster protection also include learning to view digital safety as a business strategy rather than as an operational responsibility and leading a cyber risk team of appropriate subordinates organizationwide. This team should meet in person, if possible, the publication notes. Face-to-face interactions can prevent the confusion that often occurs when separate business units speak in jargon.

Very helpful, indeed, as even the “geek speak” of the day can cause crucial issues to be lost in translation. The news headlines are packed with examples of what happens when these issues aren’t solved in time.

In addition, Peel mentions a lack of the actual underlying data security as well. This is a highly recommended, and brief, read. Access it here.

Furthermore:

Data breaches involving outsourced data to third parties, especially when the third party is offshore, were most costly. This could be due to additional investigation and consulting fees. The cost per compromised record for data breaches involving third parties was $217 versus $194, more than a $21 difference.

Indeed, it’s crucial to ensure that security policies and procedures take into account that third-party contractors, consultants, and other vendors can often be the weak link in a chain. You can always fire that third-party that breaches your customers’ data, but what good does that really do? It’s crucial to safeguard information both in-house and when it is shared with third parties.

That is, do you notify an employee that he is being let go, and then allow him to return to his desk?

If so, is he allowed to be there unsupervised? For how long?

The point here isn’t to bog down in the minutiae, but to consider what such a “former employee” might do when he was a “current employee” only moments earlier. If he’s logged into his computer, and into your servers or applications, perhaps he will inflict a tremendous amount of damage before leaving.

Most people aren’t that bold, or lack the “guts” to do it. Or, perhaps, they aren’t that vengeful.

But some are.

Furthermore, many employees who have been let go see no reason whatsoever not to take data with them, quite subtly. They may not trash your system on the way out, but they will gladly steal it.

In fact, The Ponemon Institute’s 2009 report “Jobs at Risk = Data at Risk” found that 61% of respondents who felt negatively about their employers took data while only 26% of those with a favorable view did. But of the 945 individuals surveyed, who were laid off, fired or quite their jobs in the past 12 months, 59% admitted to stealing company data and 67% used their former company’s confidential information to leverage a new job.

Company policies certainly vary, and depending upon the employee’s role and level of access, it can be quite difficult to sever ties. But be careful not to assume that the employee won’t take you for a ride on his way out.

It’s a good idea to supervise the employee as he cleans out his desk, then walk him to the parking lot. And if you have remote access into your company via the network, that must be handled before the employee even reaches the parking lot (such as while he’s cleaning out his desk or even while he’s in the meeting being let go).

It’s an ugly business, but must be handled prudently lest it turn worse for both the employer and the former employee later.

The average cost per breached data record rose $2 in 2009, to $204.  That’s actually not too bad. The average cost of a breach was $6.75 million, compared to $6.65 million in 2008.

PC World has a good article to summarize, and thanks to lyger at DataLossDB for the pointer.

Not very many businesses are taking serious note of the fact that, on average, they have $6.75 million laptops walking around out there. For those who are, our hats are off.

Here’s an interesting excerpt:

“Overall, 42% of all cases in the Ponemon data-breach study involved third-party mistakes and flubs. In addition, more than 82% of the cases in the Ponemon study were organizations that had more than one data breach in 2009 involving the loss or theft of more than 1,000 records containing personal information. At about 40% of the companies that participated in the study, the chief information security officer (CISO) was in charge of managing the response related to the data breach.”

And how about the maximum data breach cost in the study? $31 million.

That’s a rather expensive laptop, and probably worth a few dollars to protect instead. (Note: the breach may actually have been the result of something other than a lost/stolen laptop, such as a network break-in).

The least expensive breach? $750,000. That beats $31 million, but $750k is still a pretty penny to pay, compared to protection.

Many thanks to Ponemon and PGP for another excellent study.

Talk to ten people on the street, and nine of them will tell you that they use one single password for all of their accounts (websites, systems, etc.).

After all, who wants to remember 253 different passwords for 253 different systems?

Well, it turns out that this very widespread practice is akin to keeping all your eggs in one basket. Once one is compromised, they’re all compromised. And again, even IT pros are often guilty of this same horrible practice!

Thankfully, there are very good tools available to store passwords securely (encrypted). Simply by using one of these, you can “diversify” your passwords without adding much burden at all. Many systems have clients that can sync the password database to your iPhone/BlackBerry/etc.

I carried a Palm for about 9 years. I used a very simple tool called “YAPS” to encrypt and store passwords on there, and then sync them to my PC. I’m now on BlackBerry, and have a very similar system. It works great! No problem…and no single password that is the “key to the kingdom!”

As I’ve been wading through study after study, report after report, commentary upon commentary, it seems clear that there are, well, a lot of problems out there. I know, I must be Einstein to suggest that. But seriously, the more a person studies and tries to understand the state of affairs, the more he might be tempted to throw up his hands in overwhelmed frustration. Then again, sticking his head in the sand is probably not a great idea either.

One of the best ways to cross the room to the door is…to take a step. Then take another one. And another. Before you know it, you’re there. Perhaps the same approach should be used for tying down security woes.

Sure, you may not know where to start. You might feel inadequate, understaffed, underfunded, underappreciated, or just plain underwater. But pick off an easy target.

If you can, start with the Jugular Vein. If your company is bleeding profusely due to a gaping security hole, such as unpatched servers or unencrypted laptops, then start there and work on a solution. If that Jugular Vein is actually a beast of a problem and that’s part of the reason you’re overwhelmed, fine, snooze it for a week or two and get something fixed. Just making a little progress will go a long way toward building momentum.

But of course the strong wisdom says get to that Jugular as soon as you can. Folks can survive a long time with a pretty deep gash on the shoulder. It’s probably not even life-threatening. But a Jugular wound will kill you pretty quick.

Start somewhere. One step at a time. Just start somewhere.