The results (released yesterday) from a study conducted by the Ponemon Institute yielded some interesting data points. The most visible of these was the finding that 85% of U.S. organizations experienced data breaches of varying magnitudes. This study, entitled "U.S. Enterprise Encryption Trends", has completed its fourth annual publication. The data was directly obtained from 997 respondents that were asked whether or not they had experienced a data breach within the past 12 months. I don’t know about you, but 85% is a bit too rich for my blood!
Below is a sampling of the key findings from the report:
Data Breaches continue to be a huge problem: Eight-five percent of organizations surveyed had had at least 1 data breach in the last 12 months, demonstrating that there is no let up in breaches as this is consistent with 84 percent sited [sic] in the 2008 report. Companies suffering more than 5 data breaches rose to 22 percent in 2009 up from 13 percent in 2008.
More than 70% have fully executed or just launched data encryption strategy in their organization. Once again data encryption strategies are being implemented across a majority of the respondent participants. The majority of organizations, 78 percent, have some type of encryption strategy, up from 74 percent in 2008 and from 66 percent in 2007.
Encryption of data on mobile data-bearing devices used by employees is very important or important. More than 59 percent of respondents say it is very important or important to encrypt employees’ mobile devices – a sign that organizations recognize that valuable data is more mobile than ever.
On average a company will pay $202 per record compromised, and, in total an average of $6.6M should they experience a data breach.
As with other security-related topics, there’s the “So what does this mean?” question. First of all, it’s costing companies more to be breached – period. This is a very good thing because it’s our information that’s been getting lost or stolen, not theirs. Secondly, organizations are taking a much closer look at how to best secure data in all of its phases (at rest, in motion and in use). It’s a very positive move in the right direction. If you look at the latest numbers regarding personally identifiable data that have been involved in breaches (within the U.S.) you’ll see an interesting crossing-over point: there are now more records that have been exposed in data breaches than there are users on the internet. Let’s look at this a little closer:
Domestic population (census.gov): 307M
Personally-identifiable records involved in data breaches (privacy rights clearing house): 262.5M
Domestic Internet penetration rate (internetworldstats.com): 74.4% (251M users)
This clearly indicates that it’s not being on the Internet that is attributable to a person’s information being exposed – it’s the tremendous amount of information stored or transmitted in clear text that is problematic. I’m sure that if I cross-reference these numbers with the Bureau of Labor and Statistics’ numbers, we’ll find an even more interesting correlation. Bottom line, 262M is not that far off from 307M. Will some part of every American’s personal information be involved in a data breach in the next few years?
With populations growing globally, there will always be the need to store information about the ever-increasing amounts of people. What is required, though, is to make this information worthless in the event of a breach – whether that breach originates from an outside entity or from the loss of a portable computing or storage device.
It’s no mystery to many readers of this blog that the root word for cryptography is the Greek word Kryptos – which means “hidden”. It appears that many years ago, the early Greeks may have had the answer to what plagues us today – the glut of personally identifiable information involved in data breaches. Encrypting (hiding) data is one very real approach to de-monetizing data breaches. To cover this point in its entirety we’d have to open another discussion on key management, but that’s material for another blog (or white paper).
Sr. Director, Research
Author ESET Research, ESET