A recent blog post by Wikibon (The 11 Largest Data Breaches in History) chronicles a series of the most recent information security events know as a data breach. A data breach is the unintentional release of sensitive information to an untrusted environment. Other terms for this phenomenon include [unintentional] information disclosure and data leakage.
Cost of Data Leakage on the Increase
A recent industry study estimated that the average cost of a data breach grew to $202 per record compromised, an increase of 2.5 percent since 2007 ($197 per record). The average total cost per reporting company was more than $6.6 million per breach. For large enterprises, data breaches often constitute an expensive headache in terms of direct costs, productivity loss, and a tarnished brand. For midtier organizations and smaller, a data breach may represent the end of business altogether. Even with these escalating costs and risks, the efforts of CEOs, enterprise security professionals, vendors, and standards bodies have yet to put in place the right set of solutions to prevent growth in data losses.
One Tool - The Open Security Foundation
Every day, project curators and volunteers at The Open Security Foundation search news feeds, blogs, and other sources looking for data breaches, new and old. They search for incidents that need to be updated, or incidents that are not yet in the database. They add what they find to a data loss database, mail out members, and Tweet the breach out to Twitter. The goals of the OSF are to:
- Improve awareness of data security and identity theft threats to consumers;
- Provide accurate, no bias statistics to the industry to assist in risk management decision-making;
- Provide trend data to help inform consumer protection regulations and assist legislators and citizens in measuring the effectiveness of breach notification laws, and;
- Gain a better understanding of the effects of, and effectiveness of data-breach controls.
Action Item: More attention and innovation is needed to properly control and manage the confidentiality, integrity, and availability of corporate and personal information. CIOs and CISOs should integrate the data of the Open Security Foundation into their overall information assurance strategy and use this to inform the deployment of firewalls, DLP filters, database security, and auditing systems, PCI compliance reviews, encryption technologies, and other tools to effectively slow the flow of privileged information to the outside world.