Identity theft and data loss prevention have two dimensions:
- The firms who create, store and process data
The media tends to confuse the two issues – promoting various public and private agendas (for example – security product vendors who want to inflate the cost of damage of identity theft by counting the cost to consumers instead of the cost to the business. Firms like Verdasys, Symantec, McAfee, Fidelis Security and RSA that develop and sell DLP (data loss prevention) products love to publicize numbers like this:
- It’s a big problem: 2006: 50 million records breached , 2007: 160+ million records (source: www.Attrition.org)
- A lot of damage is involved: Huge liability and cost to an organization – $182 – leak of 1 record cost to an organization, $4.8M average cost of a breach (source: Ponemon Institute, 2008)
- You’ll get bitten once every two years: 50% risk of $5M in annual financial loss due to a breach at a company with no data loss risk mitigation implemented (source: ANSI, 2008) (Note how the ANSI number is half the Ponemon number…)
- The employees are to blame: 62% of the breaches done by insiders (partners and employees) (Verizon Business, 2008) (The Verizon business report gave a much high weight to partners)
(The different sources use different and incompatible methodologies for collecting, classifying and analyzing the impact of data loss events. The reports are often product marketing in the guise of market research ordered and paid for by the security vendors themselves. How did Ponemon determine that the average cost of a breach is $4.8Million with a small sample of high impact data loss events? How did ANSI decide that companies in their sample didn’t have any data breach risk mitigation in place? What is the correlation to a particular line or size of business? (e.g. why is a loss of backup tapes at Bank of America relevant to a data breach of intellectual property at a high-tech manufacturing company with 1,000 employees?)
OK – the questions are important, but what happened to eyeballs and common sense?
Whether consumer or firm, whether bank or high-tech manufacturer – data loss prevention starts with common sense and staying alert. Since most identity theft is due to physical threats such as dumpster diving – consumers should shred their credit card statements before throwing them out and stop talking to strangers on the phone. If you process credit cards – simply don’t store PII (credit card + mag strip data) at all. If you have proprietary IP in your company – require everyone to read, understand and sign a one page acceptable usage policy and monitor compliance with a network DLP (data loss prevention/extrusion detection) appliance like Fidelis XPS. When you catch someone leaking assets – fire them on the spot and publicize the event.
Don’t rely on urban legends – rely on common sense and intensive monitoring to stay alert.