15% Of Data Breaches Are Physical In Nature. How Much Of Your Data Security Budget Is For Full Disk Encryption?.
I was reading through some articles today, when I happened on one that referenced the Verizon data breach report from June. What jumped out to me in that article was that it had noted “physical threats” accounted for 15% of all breaches. When I read that, the first thing that came to mind was a physical attack: your laptop or your life.
And it’s not unheard of. I noted the importance of full disk encryption solutions like AlertBoot when covering a case where a New Yorker was mugged and his laptop computer was stolen. The laptop contained the personal information of 175,000 people who had donated blood in Ireland, but the man, who was a database consultant, used disk encryption to secure the contents, so no big deal. However, 15% of all data breaches happening this way? The number sounded too high.
So, I pulled the Verizon report from the internet. Turns out “physical threat” means more than what I had initially assumed. The fifteen percent broke down like this:
• 39% On-site theft (company-controlled premises)
• 27% System access or tampering (via keyboard or console; probably on-site as well, when no one’s looking)
• 16% Wiretapping or sniffing
• 6% Loss or misplacement
• 6% Observation (shoulder-surfing)
• 4% Off-site theft
• 2% Assault or threat
So, face-to-face altercations were actually 3 out of every 1000 breaches, a very low rate. At the same time, only 15% of all breaches being accounted by the above factors sounds low. I mean, 4% off-site theft vs. 6% on-site theft? One would imagine the numbers would be reversed at least, since so many laptops are stolen out of car trunks, homes, coffee shops, etc. The answer to this anomaly presented itself in the introductory part of the report.
“…the data set is dependent upon cases which Verizon Business was engaged to investigate…. For instance, it is simply more likely that an organization will desire a forensic examination following a network intrusion than a lost laptop. Similarly, the evolution of disclosure and notification laws influences an organization’s decision to pursue investigation.”
In other words, cases like lost or stolen laptops would have less weight in this report because Verizon usually doesn’t handle that stuff; nobody calls consultants to probe why a laptop was stolen at a coffee shop. If a company were to combine all those data breaches where it’s obvious how it happened as well as those cases where outside consultants need to be called, like Verizon, chances are the “physical threat” component would bear a higher percentage.
Nevertheless, let’s assume 15% of all breaches is as bad as it gets. This means actual cases where your IT department can’t protect data via firewalls, patches, software updates and the like accounts for 3 out of 20 breaches. Mind you, this statistic in of itself does not show you how bad the breach is going to be. The laptop could have 20 sensitive records or 20 million records.
And of that 15%, slightly over half can barely be controlled at all (theft, losses, and assault), which accounts for over 7% of the total. Again, chances are this figure is slightly depressed from reality due to how Verizon compiled its data.
The only way to stem these breaches is physical security – locks, doors, bodyguards, bouncers, locked car trunks, what have you. And chances are, these methods are already being used. Is preventing data breaches in such cases a lost cause? Not really.
One way of preventing them would be ensuring that sensitive data is not stored on machines that have weak physical security (a computer in the office) as opposed to strong physical security (a computer in the boss’s office at the Federal Reserve Bank. I heard they have guards with machine guns hidden behind one-way mirrors. Now that’s security). But as the report itself has noted, there is the problem of “unknown unknowns.” That is, nobody has a complete idea what type of data is stored in each computer being used; no matter of control over data retention, it seems, will lead to complete data security.
So, in the name of being pragmatic (and smart), I would recommend that people use encryption software. Encryption is not sexy or flashy. Most people show mild to vehement irritation at having to provide two-factor authentication (generally, a username and password) when turning on their computer. But encryption works. It works so well that the NSA, the only US government body that is supposedly unaccountable to anyone, is dedicated to doing nothing but trying to (and one imagines, being successful at) cracking encrypted data.
Some might say, if someone’s able to crack it, that means encryption is not truly secure. I agree…if you have carte blanche backed by the US government. How many two-bit criminals who steal your laptop have such a blank check?