A recent study of data breaches during the last six years shows some staggering figures associated with this crime, especially as it relates to costs for a business.
Conducted by Digital Forensics Association, the Leaking Vault Report is the largest study of its kind and presents data gathered from studying 3,765 publicly disclosed data breach incidents occurring in 33 countries during 2005-2010. The incidents included over 806.2 million known records being disclosed– averaging more than 388,000 records per day/15,000 records per hour every single day for the past six years.
The estimated costs to the organizations experiencing these incidents is more than $156 billion. (The study clearly points out that this cost does not include costs incurred by any organizations up or downstream from those organizations considered victims, nor does it include costs a data breach subject may have experienced)
That’s a lot of money. I think we can safely assume these figures are actually higher now since we are approaching the end of 2011. Just today the Boston Globe is reporting that 2.1 million Massachusetts’s residents were affected by data breach incidents since January 2010, with 480 breach incidents occurring between January and August of this year out of a total of 1166.
Other interesting tidbits from the Leaking Vault Report include:
* Nearly half of all of the reported breaches came from a stolen laptop, which is the case 95 percent of the time. But actual hacks accounted for the most stolen records during 2005 to 2009, with 327 million of the 721.9 million covered in the report, even though hacks accounted for 16 percent of the data breaches.
* In 65% of the cases, the data disclosed included the data subject’s name, address and Social Security Number.
* From 2005 to 2010, there were 584 incidents disclosing over 17 million records with Medical data. The median records disclosed for medical data was 2,000. There were 27% of incidents reporting “unknown” loss figures. These incidents are now required to be reported under the HIPAA/Hitech regulations.
The report concludes with a summary of the recommendations included throughout the report:
1. Know where your data is from inception to disposal. If you do not know where it comes into the organization, where it is transformed, stored, shared with outside parties, archived, and finally how it is disposed of—you cannot hope to keep it secure.
2. Trace each sensitive data type from when it is created, to when it is disposed of, and all the places it is used in between. Without making these types of data flow maps, organizations are operating on an incomplete risk picture.
3. When a laptop is issued to an individual, it should be accompanied by a set of rules for the custodian of the device to follow. This should include direction for maintaining physical control offsite and onsite, as well as fallback controls for when these rules either are insufficient to keep the asset safe.
a. Information Security professionals who can influence the contents of their organization’s awareness training should be lobbying to have something included about laptops.
b. In no case should the laptop be left overnight in the vehicle—particularly at the employee’s residence.
c. Do not neglect physical controls to protect electronic data. The number of laptops stolen from offices illustrates the need for locking mechanisms for the laptops when unattended at work.
4. Organizations should either put controls in place that notify when a device is tampered with, or have regular inspections of point of sale devices, gas pumps and ATMs to mitigate this risk.
5. Attention should also be given to the use of production data in test and development environments, since those environments typically have less stringent security controls in place.
6. Organizations must “bake” security controls into contracts with third party partners. This means the Information Security personnel should be involved early in the selection and vetting of potential business partners where sensitive data is concerned.
7. While prevention of malicious activity is ideal, detection is critical to minimize the damage of an incident, regardless of actor.
8. If organizations are still using SSNs as their unique identifier, they should be taking steps to eliminate them wherever possible. Reducing the locations where this highly sought after data element is stored will only help to reduce the risk of their disclosure. Data masking and encryption should be considered in cases where they must be stored and used.
Adding to these recommendations, here are some pointers from IDology to help reduce your risks as it relates to your identity verification processes:
1. Limit the data input requirements from your consumers to the minimum requirement of your business need – if you don’t need a full SSN for audit purposes, don’t ask for it!
2. Don’t add to the data overexposure problem by feeding more data into your organization. Use a solution provider, not a data provider to verify your customers-not- present.
3. Eliminate shared secrets from your authentication process – with social networking and data breaches, shared secrets are no longer effective.
4. Leverage your internal data in the verification process without sharing any of your data with a third party.
5. Educate your employees – fraudsters are switching tactics. Instead of going for the big attack they are finding quick and easy ways to infiltrate a system making it harder to detect and stop.