KPMG Data Loss Barometer 2008

The following are some excerpts from the KPMG Data Loss Barometer published in November 2008.

Click here for the full report.

Although the incidents date from 2005 through to June 2008, much of the analysis focuses on events since January 2007. The incidents are worldwide but predominantly originate in the US and UK.  This report does not provide a definitive list of all data breaches rather it is a snapshot of a global issue.
Some figures highlighted in the report:

• 1034 incidents of data loss
• 280m people affected
• 25% involving PC theft
• 80% causing loss of personal details
• 51% of losses from an internal source
• 46% of lost data has no protection

Main findings of the analysis

• Internal controls are vital – Human or procedurals errors account for a significant number of losses. Risks or errors are greatly reduced by implementing appropriate and clearly defined procedures around the use and handling of data. Staff need to understand what is expected of them with regularly implemented, tested and updated awareness, training and education programmes.
• Portable media is highly vulnerable – Mobile devices such as laptops and removable media are invaluable to modern day business but carry and increased risk of data exposure. Given the high probability of a misplaced portable media device, companies should take steps to ensure that all data is encrypted and cannot be accessed by unauthorised people. In practice, however, encryption is rarely adopted. In the vast majority (62%) of reported losses or theft of removable media, data was neither encrypted nor password protected.
• Hackers are a persistent danger- Unauthorised access presents a major threat to data protection. The malicious and often organised nature of hacking makes it more likely that the data extracted will be used for criminal and fraudulent purposes.
• Incident response is the key – Loss of reputation means a loss of customer trust and a loss of business. Handles correctly, however, the reputational damage resulting from data loss incidents can be minimised. Swift, appropriate and decisive action can limit the potential damage.

It was also noted in the report that CIFAS, the UK’s fraud prevention service, estimates that it can take between 3 and 48 hours’ work for a typical victim of identity fraud to put right the damage and clear their name.

In the case of a ‘total hijack’ where 20 or 30 organisations are involved, it can take more than 200 hours and cost up to £8,000. In that time, an individual’s credit status may be considerably, albeit temporarily, impaired.

Test your business’ readiness to deal with (or withstand) a data breach by answering the following questions:

1. Do you know where your data comes from, where it is stored and how it is used?
2. Does your staff understand the importance of good data handling?
3. Are you confident that your IT networks and systems are secure?
4. Do you have a clear plan of what to do should you lose data?