The Real Cost of a Data Breach - InfoSecurity Magazine US Virtual Conference Presentation
I recently contributed to a virtual conference run by InfoSecurity Magazine US
The topic was data breaches and here is a summary of my presentation.
Data loss is a real issue for many organisations, but what is the real cost and how can we try and prevent these incidents from happening?
Unfortunately, even the best intentioned and well motivated member of staff can make mistakes resulting in the loss of organisational data. In fact, the majority of data loss incidents are the result of this incompetent and non-malicious act rather than a pre-meditated competent and malicious theft of data. The fact that we can all make such mistakes often acts to motivate company security to put protections in place to prevent these events and changes the organisational reaction from one of a wish to punish to one of empathy.
As data proliferates and, more importantly, becomes fragmented across organisations on a variety of media, the control of data has rapidly become one of the most important challenges facing information security professionals and businesses alike.
I recently completed some research on behalf of McAfee, the security company, available here. We interviewed 1100 mid-sized organisations (these are companies that that employ between 50 and 1000 employees) across the world and the results were interesting:
- 40% have had data breaches in the past year, an increase of 13% from last year. So, for these companies, data breaches and data losses are a real problem. As these are generally smaller businesses they don't have the resources of bigger companies to survive a data breach. In fact 75% said that there is a chance that a serious data breach could force them out of business, up from 70% in last year's survey. 5% reported that they had suffered a data loss that had cost them more than $25,000. Of these 25% were from China, 14% from France and 11% from India.
- 47% of all reported intellectual property losses were from mid-sized organisations based in Europe. This is a real problem as for many smaller businesses, intellectual property makes up a significant part of their company valuation. Often, smaller businesses may only have one or two pieces of intellectual property, such as the designs of a key product, so any loss of this data could be significant.
The bottom line is that the real cost of a data breach to these companies can be the loss of their business.
So what about real data loss incidents?
In March 2010, Zurich Insurance announced that it was going to improve its information security after losing personal financial information on 46,000 British clients through careless handling of unencrypted backup tapes. The back-up tape, which also contained personal details of 1,800 third party insurance claimants from the UK, was lost by Zurich's South African sister company during what was described as a routine transfer to a data storage facility in South Africa in August 2008.
In total, 51,000 British records were on the tape, along with a much larger number of details about Zurich customers in South Africa (550,000) and Botswana (40,000). Zurich's UK arm wasn't informed about the problem until a year later. They were fined the equivalent of $5m by the Financial Services Authority, the highest fine levied in the UK on a single firm for data security failings.
There are also a number of scare stories relating to data loss.
In this very recent example, headlines screamed that nuclear data had been lost from a plant in the UK. In fact the memory stick that was found in a hotel room by a coach driver contained less exciting data relating to the transfer of staff from one plant to another, but few people will bother with the detail, instead it is the headline that most will remember.
For the company that owns the data it is too late, their reputation has been tarnished and the damage done. This has further political implications, as losses associated with politically sensitive industries or projects may run and run, being blown out of all proportion and used to fulfil other objectives. All because data was left, unencrypted, on a memory stick.
Another example from my archives comes from 2008.
A UK company called PA Consulting lost a memory stick containing the details of 84,000 prisoners. As a direct result of this it had its 3 year contract, worth $3m, terminated and further contracts worth $15m placed under review. It is believed that the unprotected memory stick was placed into an insecure desk drawer over a weekend.
If you lose a laptop, USB stick or CD it can be fairly obvious that the data has gone missing. Voice data is very different, as a successful interception can leave no physical trace so there is little chance of realising your data has actually been intercepted until it is too late. For many, this realisation may be when they have been undercut by a competitor or see their products copied in another country. This makes the promotion of voice security more of a challenge, as a direct link to an incident is often difficult to make.
Of course this lack of detection and traceability is a real bonus for the eavesdropper. When a victim realises the loss of data the attacker is long gone, hiding their trail as they go.
In order to understand the cost of lost voice data the Ponemon Institute, in collaboration with Cellcrypt, recently undertook a study called The Security of Voice Data.
The study reveals that 67% of those 75 organisations surveyed were not confident that the information passed during a cell phone conversation was adequately secured and only 14% use technologies to secure mobile phone calls when travelling to sensitive areas. The cost to the organisation each time a corporate secret is revealed to competitors or their agents has been averaged at $1.3 million.
There are a number of ways in which mobile phone voice data can be intercepted:
Spyware can be loaded onto a phone.
This, in turn, can activate the phone as a bugging device with full remote control available to an eavesdropper. Advanced spyware has a number of features, including voice-activated microphones to save on battery life and the ability to auto forward SMS messages and the contact list on a phone.
GSM encryption can be hacked
A number of attacks have been demonstrated and, in theory, given suitable resources, mobile phone encryption could be compromised. This is a passive attack and is undetectable as the signals are received using a specialised radio, which is both portable and easy to hide.
Threats to information security systems often emanate from inside an organisation. These can take the form of knowledgeable insiders being bribed or bullied into supplying relevant cell phone data and can even be an employee planted by a security agency. In June 2010, a technician who worked in a Lebanese mobile phone operator was arrested for being an Israeli spy and giving access to phone calls for 14 years. Because of the man's role on the technical side of the cell phone network's operations, it was assumed that the entire national network had been compromised.
It could be argued that data protection is a key role for information security people. As organisational data is dispersed throughout a business keeping a secure track on it is very difficult, but necessary. This is a tough call, as the needs of the business to have access to this data lie contrary to the desire for information security people to lock it up and prevent anyone getting to it. Clearly a compromise is important.
New and emerging threats will only lead to new ways in which data can be obtained, and keeping on top of this ball is now vital, especially when we are dealing with systems that may transfer huge amounts of data around the world in fractions of a second. The increasing use of "i" devices, online social networks and other sharing tools brings about a culture of sharing what many in older generations would consider private or personal data.
It's only by bringing together decent security policies, user education and supporting tools that we can hope to keep on top of the cost of data loss incidents.