Over the last several months I’ve been talking with clients, prospects, and non-profit groups about ways to increase IT security and reduce the risk that they will lose important data or expose personal information. More often than not, I find that most people underestimate their risk, and simply figure, “it won’t happen to me.” A recent report published by the Identity Theft Resource Center http://www.idtheftcenter.org/index.html sheds some new light on this subject.
What is a data breach?
The ITRC has a clearly defined policy on what constitutes a breach: an event in which an individual name plus Social Security Number (SSN), driver’s license number, medical record or a financial record/credit/debit card is potentially put at risk – either in electronic or paper format. Most agencies, state and federal, have a similar understanding of what constitutes a breach. (When breached records have been encrypted, the ITRC currently does not consider that to be a data exposure. However, ITRC considers breached records that are “password protected” as not sufficient protection under most circumstances, and will consider these events as breaches.)
What is the recent trend?
The ITRC has released its latest report http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtml , for the first 6 months of 2010 in which they recorded 384 breaches that exposed at least 9 million records. In the full year of 2009, ITRC recorded 498 breaches. And these are only breaches that are publicly acknowledged from reliable sources. I suspect there is significant under-reporting. And clearly this problem is not going away.
How do breaches occur?
According to ITRC, 82% of all breaches were electronic, 18% were paper.
25% of the breaches were “non-malicious”, either a loss of “data on the move” (17%) or “accidental exposure” (8%).
34% of the breaches were “malicious”, either “insider theft” (17%) or “hackers” (17%)
(The remaining 41% of the breaches were not classified in the ITRC report)
What does this mean?
With this new understanding of how breaches occur I suggest approaching the subject of “IT Security” a bit differently:
• First, focus on exposure to non-malicious breaches. This will address 25% of an organization's exposure. And in most cases, these risks can be mitigated simply by improving procedures, and perhaps employee training, and will not require a big investment in security software, appliances, or services (that, sadly, we’d like to sell). This is low-hanging fruit and big bang for the buck!
• Next, focus on the malicious breach exposure. Addressing this risk will likely require some security software, appliances, or services. The important point here, however, is to look for solutions that address the both the insider and outsider (hacker) risks—in equal measure.