By Lisa Vaas
November 2, 2007
A sizable chunk of business data is being lost electronically in simple
Since January 2005, there have been 167.7 million records containing
sensitive personal information exposed by security breaches, according
to a running total kept by the Privacy Rights Clearinghouse.
The question is, How does this information get out there?
Loss or theft of a physical object forms by far the largest hole in data
security. According to an analysis (PDF) done recently by David
Litchfield of Next Generation Security Software, based in Surrey,
England, 43 percent of records lost since Jan. 1 slipped out of
organizations on paper, computers, laptops, disks or backup media.
Other researchers put the figure higher for records that were exposed
due to lost or stolen computers or mediasecurity expert Chris Walsh has
analyzed New York data sets and puts the figure closer to 99 percent.
Either way, that's a lot of gear growing legs and walking off. But
Litchfield, like other database security experts, is of course primarily
concerned with electronic data breaches and how they can be stopped. And
many electronic breaches can certainly be stopped, he maintains: He's
found that since Jan. 1, the single largest contributing cause to
electronic data breaches is not cyber-thievery or insider malice but
simple goof-ups, that is, inadvertent exposure.
According to Litchfield, Word documents and spreadsheets mistakenly left
on a Web server or indexed by a search engine account for 20.6 percent
of the 276 breaches, both physical and digital, recorded up until Oct.
23 in 2007 by the Privacy Clearinghouse and by Attrition.org, a data
security site run by volunteers.
"This means that a fifth of the breach problem could be solved if
companies actively and regularly hunted out such relic documents
themselves," Litchfield said in a Nov. 1 posting.
Another thing to note, Litchfield said, is that while the number of
security breaches tracked by groups like Privacy Clearinghouse is
nothing to sneeze at, it also vastly underreports the true amount of
data exposed in breaches.
"It seems many of the discoveries were made by well-meaning members of
the public who found them by accident," Litchfield said in his posting.
"This indicates that the real number of breaches is considerably higher:
Criminals, who we know are actively seeking out such information, aren't
going to inform anyone about what they find. The same is true of
breaches due to compromisethe number must be higher."
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com