Four things you should know about data breaches

March 3, 2010

It seems that each day brings news of another collection of data breaches. A question I am asked regularly is “What should I know about data breaches?”

Excellent question indeed! Let’s quickly review the salient points raised by this question, and what can be done to palliate these issues.

1. What is a data breach?

Anytime information falls into the hands of an “unauthorized third-party”, it is technically a data breach. Basically, it is a loss of confidentiality for a given data item.

2. How much does a data breach cost?

The cost of a data breach can be difficult to ascertain. It is usually referred to as a “per-record” cost. A recent article in Network World indicated that the per-record cost of a breach used to be around $100 as of 5 years ago. Today, on average, it is in excess of $200.

Note: this cost does not take into account the cost of potential litigation, fines and reputational loss – the latter being the most difficult to quantify pre-breach.

3. How do data breaches occur?

There are mostly three categories of causes for data breaches:

Human error: from losing a PDA or laptop – or, dare I say it, an iPad – to not logging off a computer, the list of errors that a human can make is seemingly endless. It could be summed up as “human negligence.”

Machine-error: a computer glitch, an unpatched host, a PC without up-to-date anti-virus can all contribute to a loss of confidentiality.

Malicious behavior: either internal or external, malicious behavior is first and foremost a crime of opportunity – in a report published a year ago, Verizon reported that about 80% of all hacking attempts started as a crime of opportunity. The lesson to be learned here is simple: remove the opportunity, remove 80% of the actual crime.

Simpler said than done!

4. So… what can I do about it?

The first requirement is to be security-aware. It is quite difficult to protect something you don’t know you have, and didn’t realize you had to protect!

The second requirement is to develop a security program. It doesn’t have to be a cost-prohibitive endeavor to be successful, either.

As part of this security program, different controls can be designed and deployed, including, but not limited to, creating policies and procedures, providing employee training and performing internal and external penetration testing on your computer network.

The need for policies is simple: let’s figure out a way to run a given business process in a way that 1. guarantees the creation of the business value that prompted the need for the process, and 2. guarantees that the security of the assets involved in that process is not threatened.

Once that policy is created, we can create procedures to supplement it.

Finally, through consistently using these policies and procedures, we can protect ourselves from threats to the confidentiality of those assets.

But this consistency will only be attained if all users are trained and made aware of these policies and procedures, hence the importance of training all employees – not just those that are directly linked to IT or the Security department.

So here’s a quick exercise for you:

Think about the type of confidential information your business hosts. Maybe it’s financial records. Maybe it’s health records. Maybe it’s credit card records. Now think about how many of those records your business has accumulated through the simple act of doing business. Multiply that amount of records by $200. That’s the potential cost of a data breach to your business.

Let’s pretend that a medical practice has 20,000 medical records and that they are all breached. That’s an exposure of $4,000,000. Before lawsuits from angry patients, before reputational loss – would you go to a doctor’s office that can’t keep your health information secure and confidential?

So what is a data breach? It is a risk incurred every day by your business, a risk that can severely impact not only the bottom line, but potentially the very existence of your business.

If you were to have questions about the information contained in this blog, please feel free to contact me.

Thanks for reading!

David M. Jacquet, CEH, CEI, CCE, CISSP
The InfoSec Group
(207) 749-7436

Join me on LinkedIn!

Follow us on Twitter!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: