We plan to spend the next several posts digesting the new study. For now, some interesting key findings (please be sure to visit the links above and download the full study):

• The average organizational cost of a data breach rose to $7.2 million.
• The average cost per breached data record rose to $214 from $204 in 2009.
• Rapid response to data breaches is costing companies 54 percent more per record that a slower response.

That last point will yield some further discussion over the coming weeks. It’s been said many times that a very slow response will cost an organization dearly. But it has also been said, and is now becoming clearer, that responding too rapidly is also more damaging. There’s a fine line to walk, but walking it correctly makes a very large financial difference to a breaching organization. Preparedness is a key.

KENS 5 reports that arrests have been made, but no charges have been filed. Thanks to Redemtech for the tip.

It’s worth emphasizing repeatedly that when a data breach happens, the entire business suffers, and suffers greatly. With the enormous impact that data breaches have, and the extreme risk that each and every employee (and contractor) can pose, it pushes prevention into the laps of everybody in the business, not just IT. Though IT may be the group that implements solutions, they are often hamstrung by lack of sponsorship in upper management, and we all know that when the bosses don’t want it, it doesn’t get done.

So then, our tip is to gather those bosses. We’re gearing here for more of the small business types, as opposed to enterprises with more formal structures who already should be (but often aren’t) doing this. Gather the business’ key decision makers and at least begin the discussion of data privacy. Do not get technical, since the meeting will likely be full of non-techies. But begin the process of educating the whole swath of managers that this problem is “organizationwide.” It’s not an IT problem alone.

This story, however, is replete with the most poignant and well-spoken quotes I have ready in months, possibly years. I simply must quote at length:

Chris McIntosh, CEO of Stonewood, said: “Once again the ICO has pressured an organisation into taking remedial steps to prevent such a data loss happening again, and once again, the details of the case show that organisations simply are not taking the threat of the loss or theft of data seriously enough.

“Too many organisations take an ‘it only happens to other people’ approach, assuming these breaches will not affect them, until they inevitably do. For organisations such as insurance companies, trusted with the sensitive personal data of not just their employees but also a multitude of customers, this is quite frankly unacceptable.

“Royal London seems to have scored a hat trick of errors in this incident: the lack of knowledge of machines’ contents; the lack of insight into laptops’ locations; and the lack of encryption on machines has all combined to make this loss much more serious than it need have been.

“Keeping track of the contents and location of company property should be a simple administrative matter, and effective, tamper-proof encryption on laptops and memory storage is now more than affordable. Organisations need to start paying attention, take more care to protect, track and encrypt their data, and aim to prevent the ICO making any more announcements such as this one.”

Well said. Very well said.

But on the topic of security directly, even IT professionals often take a “not me” mentality, whereby they either assume they won’t be targeted, or assume that the “bad guys” will not discover a vulnerability that the IT folks know exists. For example, they have a wide-open application vulnerability where a certain script doesn’t require authentication, but it would require an attacker to know what script to run. Rather than secure the hole, the Powers That Be decide that it’s just so unlikely that anybody will discover it’s there, they can rely on that fog of obscurity to keep things happy.

That’s called “security through obscurity.”

It’s a very, very dangerous thing.

Perhaps one of the most reliable truths in life is that that which is “obscure” won’t be obscure forever. You can count on that.

Secure your data through real security. Don’t rely on obscurity.

Christopher Keating over at Courant.com reports that Attorney General released a 37-page report on Tuesday, October 13, that said that the state tax department failed to safeguard the sensitive data of citizens after acting “in a ‘cavalier and careless’ fashion” with respect to data security.

The data in question were on a laptop that was stolen on Long Island in August of 2007, breaching the Social Security Numbers of 106,000 citizens.

Here’s the tale of the tape:

“The Long Island laptop turned into the million-dollar laptop as the state Department of Revenue Services spent more than that amount in responding to the incident. That total included providing free identity-theft protection to taxpayers and taking measures to prevent miscues in the future.”

Very well said. And it highlights the fact that $10, which is far less than $1,000,000, is a small price to pay to solve the problem with solutions like MyLaptopGPS.

But I’d be remiss not to issue a tip that puts my money where my mouth is. Or, that is, why not follow my own advice?

Laptop tracking, remote data destruction, covert data recovery, and a 99.6% security success rate are all excellent security layers. We’ve always said so, and have always used them. But now, it’s time to up the ante in a big way by bundling on-disk strong encryption–another extremely important layer we’ve always highly recommended.

A thief who has your laptop should have no access to your data, ever. Good on-disk encryption such as MyLaptopGPS Encryption guarantees that, and then, as always, the other layers back it up. Remember, there’s no silver bullet in the security world.

Another nice thing about a bundle of highly effective layers such as these is that additional features can surface as a result. For example, with MyLaptopGPS Remote Decryption Kill, even a thief who has your encryption key (you didn’t write it on a post-it note in your laptop bag, did you?) cannot decrypt your data.

A solid laptop data security strategy always relies on many layers. Encryption must be a primary one.

Set a password in your laptop’s BIOS. This is not the Windows password that would be used to access Windows, but a low-level password that is set right in the laptop hardware itself. Consult the documentation for your laptop for how to enter its setup mode and assign the password, but on most machines press F2 during the boot process (BEFORE Windows loads) will get you there.

Setting this password (and using a SECURE value, not “password” or “testme” or “pass123!”) prevents the thief from even accessing the rest of the boot process.

However, note that this still does not protect your data if a thief, or his buyer, wants it. He can simply remove your hard drive and attach it to another system, accessing its filesystem that way. Thus, encryption is still a must.

But again, every layer helps!

The latest versions of most of the major web browsers include a “private surfing” capability that essentially covers your tracks as you surf. This feature is not merely useful to those who “have something to hide” about how and where they surf the web, from some kind of legal or ethical standpoint. Even those who have nothing to hide from their friends and family do have something to hide from a laptop thief sitting at the keyboard.

The more that thief, or the person/organization to whom he sells the stolen laptop, can dig up easily, the more likely he is to gain access to information or capabilities you don’t want him to have. For example, if your browser history reveals your banking website, *and* you have your password stored, he’s right in. That’s a worst-case scenario.

But even if you don’t have your password stored, the criminal still has something to go on, knowing where to try to break in. You might as well slow him down by not making it so easy in the first place.

This also brings up the notion of bookmarks. If you bookmark your banking websites, and other sensitive sites, beware. The thief can peruse your bookmarks as well.

This is why MyLaptopGPS deletes files like bookmarks and browser histories–data you simply don’t want a thief to have.

First, watch the footage:

What we notice here is important.

1. At 16:09:39 the thief enters the restaurant.
2. He waits 25 minutes. According to the restaurant owner, he even ordered some food.
3. At 16:34:20 he prepares his strike.
4. Five seconds later, at 16:34:25, he strikes.
5. In 11 seconds, he has made the hit, packed the laptop, assembled his gear and heads for the door. 11 seconds.
6. He’s to the front door in six seconds (16:34:42) and gone.

This seems eerily consistent with the famous Twenty Second Window that we’ve been hailing for years. Thieves strike in about 20 seconds. In this case, actually, the entire strike-and-pack was 16 seconds. This thief gets extra credit for shaving four seconds off the clock.

Furthermore, the laptop itself was in a conspicuous laptop bag, making it a prime target. Additionally, it was left unattended for a short period of time.

From the video, it is not clear whether the laptop was marked visibly. It is also not clear what other laptops were available. If you’ll grant me some breathing room, I’ll go out on a limb and say the laptop wasn’t marked and at least one other target was available–at least one other laptop on the premises could have been stolen instead.

1. Twenty Second Window
2. Unmarked property
3. Conspicuous laptop bag
4. Laptop left unattended, even briefly

This is a textbook laptop theft. MyLaptopGPS has a 99.6% success rate stopping this very event. It happens every 12 seconds, after all. We now have to wonder what data was stored on that laptop.