How safe is your data?

One of the most frequently covered media topics on analytics is data security, or rather data insecurity. It feels like every week there is a new report of data breaches in the papers. A quick review of the UK national press over the last quarter in-fact identifies just short of 120 articles that feature a 'data breach' reference.

I'm covering this as a topic because my suspicion is that the fear of breach is more widespread than actual breach. Yes, there have been many data breaches, but without the real facts the cynic in me suggests media bias is creating more attention that the nature of the problem.  The cynic of me notes with a wry smile that 60 of the 117 articles appeared in The Daily Mail. Detail from the Newsdesk service from LexisNexis.

So I dug a bit further into the facts of recent breaches, and sought out some recent studies.
First stop was the Breach Level Index, that globally tracks publicly disclosed breaches, and produces an annual summary report. [I should flag that this is the work of a "leading global provider of digital
security solutions"] The 2014 contains some useful reference points:

• the report is based on 1,450 breaches in 2014, an increase of 46% from 2013 - (however how much of this is more breaches or a higher level of breaches reported?). This included 117 in the UK for 2014.
• the report highlights the source of these breaches: around 60% are external, but the significant remainder are either malicious insiders or accidental losses
• most surprising was that of all these 1,450 global breaches less than 4% involved data that was encrypted in part or full.

Next I studied the latest 'Information Security Breaches Survey' from the UK Government Department of Business, Innovation and Skills. This survey was carried out by PWC and took responses from over 1,000 individuals, with some bias to SME's.

• 86% of 'large' organisations had a security breach last year, and 60% of 'small' businesses. Interestingly both figures lower than 2013.
• Almost half of the breaches (47%) were caused by staff, next highest was virus impact at 27% of incidents. External attacks accounted for 16% of incident

The Information Commissioners Office also report a range of statistics of breaches that have been reported to it. For 2014/15 1,807 incidents have been reported:

• over half were basic failures; losing paperwork (18%), data sent to the wrong person, by post or email (30%), insecure disposal of paperwork or computer records (5%)
• but a significant 22% related to a lack of "appropriate technical and organisational measures"

Clearly these are three quite distinct snapshots, without direct comparability; but even so highlight some common themes:

• most breaches are failures at a basic, preventable, level : organisations should do more to address the basics
• where breaches are more complex and especially external, whether direct attacks or due to virus or malware, then improved encryption would be of significant benefit
• centralisation of data creates a single point of security concern, but most specialists agree that this is also easier to secure; decentralsiation creates more potential failure points and greater challenges to effectively manage

Data security will continue to be an issue, breaches will continue to happen, but organsiations can always take some basic steps to reduce their risk and exposure.