Will the Real Security Threat Please Stand Up?
This week saw two somewhat conflicting reports on our current state of insecurity. The news ain't good, but it's better than you might expect.
The report details 855 incidents from 2011 resulting in the loss of 174 million records. Some 98 percent of those data breaches resulted from external attacks, according to the report, with the vast majority of those employing some kind of hack attack. Only 4 percent of those losses were blamed on internal employees.
Of those 174 million lost records, some 100 million were stolen by self-proclaimed hacktivists, per the report. Check out this top-level summary, which sounds like something straight out of Hollywood:
The online world was rife with the clashing of ideals, taking the form of activism, protests, retaliation, and pranks. While these activities encompassed more than data breaches (e.g., DDoS attacks), the theft of corporate and personal information was certainly a core tactic. This re-imagined and re-invigorated specter of "hacktivism" rose to haunt organizations around the world. Many, troubled by the shadowy nature of its origins and proclivity to embarrass victims, found this trend more frightening than other threats, whether real or imagined. Doubly concerning for many organizations and executives was that target selection by these groups didn't follow the logical lines of who has money and/or valuable information. Enemies are even scarier when you can't predict their behavior.
Whatever you think about Verizon, those boys can write. I can't wait for the movie.
Meanwhile, the Ponemon Institute released its seventh annual report on the cost of data breaches in the United States this week. It was a bit drier in tone, and the conclusion was quite a bit different: negligent insiders, not hacktivists, were the biggest source of problems, accounting for nearly 40 percent of all data breaches.
According to Ponemon, the average cost of a data breach to an organization in 2011 was $5.5 million -- that's actually down by almost 25 percent from last year, and the lowest cost per record lost since 2007.
The reason for this seeming good news isn't all that good, however. It seems that businesses lost fewer customers as a result of data breaches, in part because people "are maybe becoming a little numb" to the news, says Dr. Larry Ponemon, head of the institute that bears his name. Quoth the good doctor:
Maybe most of us by now have received one if not more [data breach] notifications. Over time, if you don't become a data breach victim as a result of the event, it begins to lose its impact. These notifications are becoming almost ubiquitous. It's hard to determine which ones I should care about.
Glass half-empty, glass half-full, or glass with a crack in the bottom where the data leaks out all over the floor -- take your pick.
Throw out the series of attacks on Sony's online networks -- where something like 100 million records were breached, or nearly all of the thefts attributable to the hacktivistas -- though, and the Verizon numbers start to come a lot closer to Ponemon's.
Unless you paint a big bull's-eye on your back by doing something stupid and/or angering the unwashed hacking masses, you're probably not going to get the attention of the Anons. For most organizations, the boogie man is still themselves.
Who's the biggest threat to your data: hackers or insiders? Issue your warnings below or email me: firstname.lastname@example.org.
This article, "Will the real security threat please stand up?," was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, and subscribe to Cringely's Notes from the Underground newsletter.