Tuesday, January 6, 2009

2008 Breach Numbers Nearly Double

The number of data breaches reported in 2008 was nearly double that of 2007, reports the Washington Post. The Identity Theft Resource Center (ITRC) will announce the 2008 tally today, revealing that 656 breaches were reported last year, with the majority occurring in businesses and schools (57 percent, combined). Human error continues to be the cause of most breaches, while hacking and malware contributed to about 14 percent of those reported. The number of breaches stemming from employee data theft also doubled. "As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent," said Linda Foley, ITRC co-founder.

Given the reality of this report what would motivate a company to concentrate its efforts on company server and internet security? Mis-information.It has long been known that the vast majority of breaches are not the result of hacking or "cyber crime" of any kind. As this report has found it's almost always either an inside job or gross error in judgement. This is what makes employee awareness training an absolute necessity in an information security program. If a business doesn't tell the entire staff how to handle personal information how are they going to expect them to do the right thing? Certified identity theft risk management experts who have studied the many forms of identity theft and methods of prevention should always conduct the training.

We have established that most all data breaches occur at business and public databases, and are the fuel for the illicit worldwide trade in identities. The profits from the sale of identity data have surpassed the entire international illicit drug trade. As I mentioned in my previous column it is very difficult to trace any given episode of identity theft to a single source as the data is sold many times and divided up along the way splitting one persons' information in many directions. As this occurs the information is used for a myriad of purposes. This is where it gets very sticky. While this misuse is going on different public and private databases are corrupted with false entries and may take years to surface. A person my not discover until years later that an event has taken place that has altered their Social Security records, medical records, insurance records, employment records, and so on. Often by then it is nearly impossible to correct these false records.Since we are literally judged by the entries in these databases wouldn't it be clever if they were accurate?

As long as data has value it will be stolen, sold, and misused. Until we can remove the value of the information itself we need to concentrate on prevention programs of businesses and public records keepers. A simple program of policy training and awareness of the nature of the crimes can go a long way to stem the tide of identity theft. This is not necessarily a difficult or expensive process. Often it can be done at little or no direct cost to the business other than the training time, which frankly is purely an investment. And if insurance companies are listening, should lower the rates of proactive clients just as their risk is lowered.

No comments: