Organizations around the world, both in the private and public sectors, are leveraging the use of technology to their advantage. Take BYOD as an example: “bring your own device” initiatives are meant to reduce costs while increasing job satisfaction and worker efficiency. There is a darker side to BYOD, however: losing sensitive and private data, which doesn’t sound like a big whoop until something goes terribly wrong. Because of the potential for data breaches, BYOD data security solutions and services like AlertBoot Mobile Security are not only a good idea, but can be a compliance requirement.
The key word there is “can,” though. When you consider the value of personal data in the black market, or even to legitimate data brokers, one can only wonder why there aren’t stricter laws addressing the issue of personal data security. It’s a complex situation and a simple answer isn’t readily available. However, a significant part of the answer could be that people have no idea how bad the situation is because it doesn’t get reported. Take into consideration the Canadian government’s recent revelation.
Over 725,000 Affected Over the Past 10 Years
According to a document that was presented in Canada’s Parliament, there were more than 3,000 data breaches in the past 10 years. More than 725,000 Canadians were affected.
However, less than 13% of data breaches were reported (the implication, I guess, is that they were supposed to be reported to the Canadian Privacy Commissioner). Furthermore, there is a good chance that the 13% figure is inflated. According to the same report, the government’s list cannot possibly include all data breaches. Hence, the 13% figure would actually be lower:
For instance, the Canada Revenue Agency didn’t provide any numbers, saying that a search of the hard copy records of breaches would be too cumbersome to be completed.
And those are instances of “known unknowns.” Imagine what the picture would look like if the veil of “unknown unknowns” were lifted as well.
GIGO: Garbage In, Garbage Out
If you were in charge of coming up with a policy and found that there were only 300 or so breaches over the past 10 years (as opposed to 3,000), would if affect how you approached the project? Would it affect your conclusions on what needs to be done? Would your calculations show that the use of certain information security solutions were not “cost effective”?
My guess is that the answers to all of the above would be in the affirmative.
The last question is especially interesting. In this day and age, the bottom line tends to be the arbiter of whether something gets implemented. Hence, many IT departments have attempted to calculate a ROI (return on investment) for data security products and services, including mobile device management and security services for securing devices that are used in BYOD programs.
I should mention that such a calculation is an exercise in foolishness: information security is not an investment in the financial sense. It will not produce money or any other type of financial asset; and, of course, just because it doesn’t generate income doesn’t mean it isn’t worthwhile.
For example, what’s the ROI of a toilet? None (unless you’re a company that sells porcelain bowls). Would your company be better off without toilets in the workplace? Probably not. While there isn’t a return on investment, there certainly is a return in some kind of value.
All of this being said, if one is going to do some calculations, it still behooves them to use data that is as accurate and as precise as possible. If one finds that a BYOD security program will cost the company $10,000, it might cause him to balk if he’s looking to prevent 300 data breaches vs. 3,000 of them.
The report to Canada’s Parliament could very well explain why there isn’t more being done to protect sensitive data at the federal level, and why Canada’s been experiencing increasingly bigger data breaches.