The success of all risk mitigation processes correlates directly with level of understanding, completeness and accuracy of all data related to that risk or threat. With that thought in mind our staff would like to turn your attention to the topic of data breaches — a topic we are sure that many information security, network security compliance, cybersecurity and privacy rights team members in your organizations find to be an elusive and yet ongoing threat to their organization.
The results from a recent study entitled, “The Leaking Vault: Five Years of Data Breaches”, should be an interesting and valuable additional reference document for the libraries of those team members referenced above….
This information was first observed in an article written by M.E. Kabay and posted on the NetWorkworld website. The article addresses the referenced study report authored by Suzanne Widup, a MSIA graduate from Norwich University. The study was sponsored by the Digital Forensics Association.
In its executive summary part of the study’s findings, the following highlights and recommendations are mentioned:
- The Leaking Vault study presents data on 2,807 data breach incidents – and is the largest study of its kind.
- The study covers breaches from 2005 through 2009 and includes over 721.9 million known records disclosed.
- The Laptop vector in the study was the leader for loss incidents, with 49% of all breaches, but the loss leaders was the Hack vector with 327 million records, or 45% of all records disclosed.
- When an incident involved Insiders, it was more than twice as likely to have been an accident.
- Third party partners facilitated the disclosure of over 111 million records.
- Social Security Numbers (SSN’s) are the most frequent data element reported.
- Only 27% of the cases lost Customer credit card data – yet, in only 60% of cases was credit card monitoring offered to these victims.
- Using figures from the recent Cost of a Data Breach study, a figure of U.S. $139 billion dollars was calculated as the estimated cost over the five years of the study – this includes only the cost suffered by the disclosing organizations, not the downstream/upstream costs nor the costs to the data subjects in time spent trying to repair their records.
- Organizations should ensure that their data lifecycle is managed end-to-end whether the data is on paper or in electronic form.
- Organizations that rely on the login password to keep the data safe on a laptop that has been lost or stolen are operating under an inaccurate risk assumption.
- Security requirements for third-party partners must be included in contracts from the beginning.
- Internet-facing systems should be scanned regularly for both the presence of sensitive data that should not be stored there, and for code vulnerabilities that put data at risk.
Hopefully, this information should assist the risk mitigation efforts by your organization against this ever present threat.
Click here to read Suzanne Widup’s full study report.
If applicable, please pass this information along to those risk management, business continuity and PS-Prep risk mitigation team members in your organization.