A big focus of the Microsoft Security Intelligence Report (MSIR), volume 9, released this week, was on botnets and the company’s reported success at battling them, but I found other interesting tidbits there, too. For instance, Microsoft reports a steady decline over the last two years in the number of data loss incidents made public around the world and cites the recession as the possible reason. A slow economy means less stuff is being sold, less data is being generated and so less stuff at risk of being stolen. Really? Or are people just being more careful?
For this section of the MSIR, released at the recently-concluded RSA Conference Europe 2010 in London, Microsoft relied on the Open Security Foundation (OSF), which tracks security breach reports culled by researchers from news stories and other sources and then reported on the OSF Web site, DataLossDB. Reported incidents declined to 232 in the first six months of 2010 from 414 in the first half of 2008, according to DataLossDB, and the numbers declined steadily in each six-month period in between.
“This downward trend may be related to the overall decline in worldwide economic activity over the same time period,” Microsoft stated in the MSIR.
There might be other factors, though. Microsoft notes the increasing number of laws by states, countries and other political jurisdictions mandating that breach incidents be reported if customer or client data may have been exposed. When California became the first U.S. state to enact a disclosure law in 2002, the idea was that companies would invest more in data security to avoid the negative publicity associated with a breach. An added incentive to invest in security is that under California’s law, and likely elsewhere, an incident does not have to be reported if the company can show that the data believed compromised is encrypted.
Ironically, California's landmark law made some news of its own recently when Gov. Arnold Schwarzenegger vetoed a bill that would have updated the 8-year-old law. The new legislation would have strengthened the reporting requirement if databases of personal information were compromised. Schwarzenegger argued the legislation would have further burdened businesses without a corresponding consumer benefit.
Disclosure laws aside, the incident reports keep pouring in, even if at a slower pace. DataLossDB has the Web equivalent of a news ticker on its home page with details of the latest incidents as they come in. The U.S. Department of Veterans Affairs reported a breach Oct. 14 in which 6,299 Social Security numbers were exposed. That same day, Accomack County, Virginia, reported a breach that exposed the Social Security numbers of 35,000 county residents when a county employee’s laptop containing them was stolen in Las Vegas.
In fact the stolen laptop scenario is the most typical of all the reasons data is compromised. While we in the IT security world are concerned about cybercriminals operating botnets, hacking computers, spreading malware and committing fraud, the largest single category of data breaches is “stolen equipment,” at 30.6 percent of all incidents in the first half of 2010. And overall, fewer than half of reported breaches are classified as “malicious;” most are classified as “negligence.” Chief among the negligence category is improper disposal of business records, meaning something as simple as throwing paper records in the trash without shredding them first.
It seems no amount of investment in firewalls, access control, data encryption or patch management can protect against one bone-headed act of stupidity.