Bitglass have released their latest report into Information Breaches. It addresses the current ways in which information is being compromised. These reports are useful as they provide input into developing both the risk models for companies, and in selecting appropriate security controls to manage those risks.

Some of the results are unsurprising:

• The trend of an increasing amount of data being subject to an unauthorised release is continuing.
• Most organisations have had an incident.
• Many organisations have had multiple incidents, often repeats of the same problem.
• Attackers aim for where the money is.

The interesting part is in how information is released.

Since 2006:

• A third of incidents were directly a result of human action, evenly split between accidental and malicious action.
• A quarter of incidents related to lost or stolen devices; laptops, company phones, USB sticks, private phones and so forth.
• A fifth of incidents were caused by external attacks against the IT systems, this includes phishing attacks where the initial compromise is inadvertently aided by someone inside the company.
• The rest was a mix of mislaid paperwork, payment card fraud and a worryingly large amount of “we don’t know what happened”.

In the US, where the study was done, the average cost of a lost record (one person’s details) was $260. This is about 20% higher than the typical non-financial cost/record impact. One key reason for this is the increasing impact of regulatory fines – PCI-DSS penalties alone can reach half-a-million dollars per incident.

So:

• Information Security is a People issue, not solely an IT issue. Appropriate and relevant awareness among individuals handling the information is critical.
• Methods should be in place to ensure that data on devices that can be lost or stolen is adequately protected.