A Freedom of Information request has revealed that UK CIOs have reported 356 instances of data breaches since November 2008. Of these, 222 instances (60%) would have been fully preventable via the use of drive encryption like AlertBoot. The 222 instances I mentioned include the loss or theft of hardware (memory sticks, laptops, etc.) and any instances where packages were lost in transit (such as by couriers). The story has had enough of an impact that several sites are covering the story.
A Freedom of Information request has revealed that UK CIOs have reported 356 instances of data breaches since November 2008. Of these, 222 instances (60%) would have been fully preventable via the use of drive encryption like AlertBoot.
The 222 instances I mentioned include the loss or theft of hardware (memory sticks, laptops, etc.) and any instances where packages were lost in transit (such as by couriers). The story has had enough of an impact that several sites are covering the story.
The breaches are self-reported, so it stands to reason that the figures are underreported, either because companies don't want the publicity--and think they can get away with it--or because they're not aware of a breach, or the legal requirements to report it. The FOI request also showed that there were 546 total incidences beginning from October 2007. Simply put, the total incidents have increased on an annual basis. Tim Holyoake, lead technologist at Software AG, the company that requested the information, noted, "The chronic problem of data loss should be in decline, and not increasing, as these figures seem to indicate." Personally, I beg to differ.
The breaches are self-reported, so it stands to reason that the figures are underreported, either because companies don't want the publicity--and think they can get away with it--or because they're not aware of a breach, or the legal requirements to report it.
The FOI request also showed that there were 546 total incidences beginning from October 2007. Simply put, the total incidents have increased on an annual basis.
Tim Holyoake, lead technologist at Software AG, the company that requested the information, noted, "The chronic problem of data loss should be in decline, and not increasing, as these figures seem to indicate."
Personally, I beg to differ.
As noted before, these numbers are self-reported, so there could be other factors for their increasing numbers. For example, actual breaches (regardless of whether they are reported) could be approximately the same, year after year, but, More people have decided to become honest recently (not likely) More people have become aware of the legal responsibility of reporting breaches (much more likely) Of course, asserting that actual breaches have increased is as valid as the above (maybe even more so). But, when you consider that it was only two years ago that laptops outsold desktops, it could just be that breach incidents are increasing because laptops and memory sticks are selling like hotcakes. In other words, if one million laptops were sold and there were 100 breaches one year, and the next year two million laptops were sold and there were 300 breaches...well, the rates are the same, at 0.01%, even if the actual numbers are not (remember, in this example, there's about three million laptops out there in total). I'm not saying that it's justifiable, but one could argue it's not an increase per se. There's also the problem that we're only measuring breaches in the above case. Meaning instances where stolen laptops that used encryption to protect its contents are not factored in. With more devices being sold each year, we've biased the report to show increases in breaches: the actual rates, when including protected devices, could reveal opposite trends--that is, the loss of laptops have increased, but because a majority of them used encryption, the number of potential breaches are not as bad as it could actually be. (Yeah, it's probably wishful thinking.) I won't argue, though, that I'd like to see more companies using data protection tools like encryption software in anticipation of any breaches, instead of deploying it after they've had a breach.
As noted before, these numbers are self-reported, so there could be other factors for their increasing numbers. For example, actual breaches (regardless of whether they are reported) could be approximately the same, year after year, but,
Of course, asserting that actual breaches have increased is as valid as the above (maybe even more so). But, when you consider that it was only two years ago that laptops outsold desktops, it could just be that breach incidents are increasing because laptops and memory sticks are selling like hotcakes.
In other words, if one million laptops were sold and there were 100 breaches one year, and the next year two million laptops were sold and there were 300 breaches...well, the rates are the same, at 0.01%, even if the actual numbers are not (remember, in this example, there's about three million laptops out there in total). I'm not saying that it's justifiable, but one could argue it's not an increase per se.
There's also the problem that we're only measuring breaches in the above case. Meaning instances where stolen laptops that used encryption to protect its contents are not factored in. With more devices being sold each year, we've biased the report to show increases in breaches: the actual rates, when including protected devices, could reveal opposite trends--that is, the loss of laptops have increased, but because a majority of them used encryption, the number of potential breaches are not as bad as it could actually be. (Yeah, it's probably wishful thinking.)
I won't argue, though, that I'd like to see more companies using data protection tools like encryption software in anticipation of any breaches, instead of deploying it after they've had a breach.
Related Articles and Sites:http://www.theregister.co.uk/2009/10/27/data_losses_growing/http://www.infosecurity-magazine.com/view/4800/uk-cios-reported-356-data-loss-incidents-last-year/http://www.computerweekly.com/blogs/read-all-about-it/FOI-Request-Software-AG-26-Oct.pdfhttp://www.computerweekly.com/Articles/2009/10/26/238297/stolen-laptops-biggest-danger-as-extent-of-uk-data-losses.htm