Earlier this month Josue wrote a blog about your company’s name on the list of security breaches. That got me wondering “Is there actually a list?” and, if there is a list, what really are the causes of security breaches?
Well, a little bit of research led me to the Open Security Foundation’s DataLossDB and sure enough they have very detailed statistics on security breaches. While they have a little bit of data from 2003-2005, they have really been effectively collecting data from 2006 and forward. They are able to obtain information from police reports, news articles and most importantly when companies make public disclosures of breaches (as is required in a number of locations).
The chart below is based on 1,846 incidents. When you add stolen computers with stolen laptops you get 29% and this is the single largest reported reason for security breaches. Hacking attempts may get more newspaper space – but they continue to trial the issues of theft.
Looking at the data, there are 5 reports of stolen laptops for April 2009. The month is not even over yet and they have reports from both Great Britain and the United States. The US reports are from coast to coast with Georgia, New Hampshire and California – not to mention you have to leave the US mainland for the fourth report by the Hawaii Department of transportation.
Also, it is important to realize that sales of desktop computers have been declining as purchases of laptop computers and the newer and smaller netbooks are on the rise. Thus there is every reason to believe that the 22% of the issues being related to stolen laptops is only going to increase.
Now, if Alertsec has their way, while the number of thefts might rise we would actually see a decline in actual security breaches. Consider this data as you make plans as to when and how to encrypt the laptops your own or support. Is it now time past the time when you should be protecting the laptops that you are responsible for!
Great article David. What really amazes me about this data is that most of these numbers are only for those breaches that are “disclosed.” I can only imagine how many are not disclosed and thrown under the rug per se.
It is not in any companies best interests to disclose these breaches, but it’s also not in their best interest to have customer data stolen. Companies must balance this by implementing the right technology, processes and education.