Thursday, January 15, 2009

Data breaches on the rise in 2008

The Identify Theft Resource Center (ITRC) published a report last week on data breaches in 2008. According to the report, published January 6, 2009, reports of data breaches are up significantly over 2007. Of course, this doesn't necessarily mean that there are more data breaches than before. Reports of breaches are bound to increase due to heightened awareness of the issues, laws and regulations enacted specifically to address the issue, and public pressure. Experts believe that the increase in the number of reported data breaches can be traced to these factors, as well as the likelihood that criminal activity in this area is, in fact, on the rise.

The information is sobering. For example, "only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection." This means that the vast majority of reported data breaches were of unprotected information. It is akin to leaving your car running and unattended in the grocery store parking lot. It's just too easy.

Another troubling piece of data is that nearly 16% of the breaches were traced back to malicious internal behavior (please see the nearby table). I believe this means that the work that IT leaders have done to protect their data against external threats has likely been reasonably successful. However, it also means that internal control is too weak. Companies need to invest in ensuring that employees have access to only the data they need to be successful in their work. Not all of will be accomplished by technology and at some point you will simply have to trust your people. But clearly there are improvements available.

Finally, the report tells me that institutions are not valuing their data. An element of the report indicates how much data was actually exposed. In the financial sector alone, over 18 million records were exposed in 2008. Of those, over 750,000 records exposed included password information. For a bit of perspective, that's more people than live in North Dakota.

The fallout from appearing in a report like this can be devastating. There are legal penalties and the potential for civil action, not to mention the damage done to a company's brand. Now is the time to implement firm data access guidelines. Roig Consulting can evaluate your needs and help you develop appropriate policies for your firm.

The ITRC report: 2008 Data Breaches Report
Additional Detailed Data: 2008 Data Breach Statistics
ITRC Home Page: The Identity Theft Resource Center

No comments:

Post a Comment