The information is sobering. For example, "only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection." This means that the vast majority of reported data breaches were of unprotected information. It is akin to leaving your car running and unattended in the grocery store parking lot. It's just too easy.
Another troubling piece of data is that nearly 16% of the breaches were traced back to malicious internal behavior (please see the nearby table). I believe this means that the work that IT leaders have done to protect their data against external threats has likely been reasonably successful. However, it also means that internal control is too weak.
Companies need to invest in ensuring that employees have access to only the data they need to be successful in their work. Not all of will be accomplished by technology and at some point you will simply have to trust your people. But clearly there are improvements available.
Finally, the report tells me that institutions are not valuing their data. An element of the report indicates how much data was actually exposed. In the financial sector alone, over 18 million records were exposed in 2008. Of those, over 750,000 records exposed included password information. For a bit of perspective, that's more people than live in North Dakota.
The fallout from appearing in a report like this can be devastating. There are legal penalties and the potential for civil action, not to mention the damage done to a company's brand. Now is the time to implement firm data access guidelines. Roig Consulting can evaluate your needs and help you develop appropriate policies for your firm.
The ITRC report: 2008 Data Breaches Report
Additional Detailed Data: 2008 Data Breach Statistics
ITRC Home Page: The Identity Theft Resource Center
No comments:
Post a Comment