According to the first data loss survey Symantec has run in Australia, 80 percent of local companies had at least one data breach in the past five years, and 40 percent had between six and twenty breaches in the same period. Furthermore, 59 percent of businesses think they may have had a data breach they are not aware of. The leading form of data protection is encryption, probably either file encryption or hard drive encryption like AlertBoot, which shouldn’t be a surprise, since the primary cause of a data breach was the loss of laptops (45%).
This is followed by human error (42%), lost portable devices (30%), hackers (29%), malicious insiders (28%), lost paper records (26%), and malicious code (malware, 24%). These figures probably don’t add up to 100% because a company could experience multiple data breaches which were not similar in nature. For example, lose a laptop one day, lose a briefcase full of documents the next. What I can’t figure out is how human error got its own category. I mean, aren’t they all caused by human error?
Regardless, these figures could be used, in a way, as a measure of how advances in technology have reduced data security over time. Laptop and portable devices account for 75% of data breaches together, whereas paper records account for 26%, which is a huge number on its own (so the halcyon days of yore were probably never as secure as we believed it to be).
But, and this is a simplified point of view, the advent of the digital age seems to have wrecked havoc, in this case by nearly three times. One can’t even argue that the above results don’t take into account the diminished importance of paper records since, if I recollect correctly, people are using more paper than ever. So, this is not a case where laptops have taken the place of paper — laptops are just an additional source of information security breaches on top of those caused by paper documents. (Of course, a counter argument could be that we use more paper than ever, but sensitive information as printed material has been decreasing overall…except I don’t see that disclosed anywhere.)
This is the thing, though: the use of laptops and portable disks doesn’t necessarily need to mean increased incidences of data breaches, a term that has to be redefined. Currently, a data breach tends to mean any instance where something containing data is lost or missing—even if the contents are protected with the use of full disk encryption. But, is that really a data breach?
I would argue that the definition of a data breach has to be grounded on whether the information can be easily accessed or not, just like paper documents are considered to be protected when inside a building as opposed to lying in garbage bags by the curb, unshredded. Realistic accessibility is the key in this matter. Bypassing a computer’s operating system’s password-protection is easy; bypassing encryption is notoriously hard. If a laptop computer is encrypted, and no stupidity was involved (having the username and password anywhere on the laptop is stupidity; leaving a laptop in your car…well, I tend to think it leans more towards carelessness), there should be no reason why the loss of a laptop computer should be classified as a data breach.
Ultimately, a data breach should focus on the data: is the data accessible by unwanted third parties? If not, then there is no breach. Note that there is a solution available today to keeping data secure even if the physical object housing it is missing or stolen. It’s called encryption software. No such tool exists for paper documents, unless you count those briefcases that have built-in locks with three dials. Give me a beer, though, and I can crack through that in less than two hours.