Has “Data Breach” become a buzzword?
You hear about a new, significant data breach in the news. What’s your reaction? Chances are, you’re a lot more desensitized to this than you were 3-4 years ago. Is this a good or a bad thing? Personally, I think there’s two ways to see it. First, the general public becoming desensitized to it. After the TJX breach, people happily handed their credit cards over at TJ Maxx and Marshall’s stores, so I’m not inclined to think these sort of announcements leads to actual consumer behavior changes in many cases. The other side of this is from an organization’s standpoint – safeguarding against data breaches is rapidly becoming “something you just kinda have to do”. Peer pressure? All the cool kids are doing it? We’ll see.
I took a look at the SC Magazine 2010 Data Breach survey found here. I’ll comment on a few points in this survey, as I am generally getting more and more skeptical of the validity of responses to these surveys, or generally questioning some of their usefulness. All images are taken directly from the survey page.
No shocker here. Compliance is the big driver. And it looks like “negative brand impact” is another one. However, this brings up a point, in my mind at least – why aren’t organizations doing this to “enhance security” or “adhere to security best practices”? Are all organizations like spoiled children who continually ask “Awww, do I HAVE to?” I understand money is involved, but it boggles my mind that companies do not understand the intrinsic need to not shit all over employees, customers, and partners by losing something entrusted to them.
Here’s another one that begs a question – how could even 7% of respondents NOT KNOW the answer to this? And “Yes, but not enough” seems like a cop-out answer that is “safe”. Either you have a cohesive plan, or you do not. Or you live under a rock and answer “Don’t Know”. Apparently, SC Magazine can reach you under said rock. Bravo.
Some additional nuggets of awesomeness (these graphs I only found in the magazine article):
- The company is preventing the data from being stolen, exposed, or lost. The responses? 91.2% agree, 4% disagree, and 4.5% neither agree or disagree. Two things – those numbers add up to 99.7% (where’s the other .3%?) and what kind of dumbass doesn’t have an opinion on the matter? To Mr. I don’t Know What the Hell is Going On…this Bud’s For You.
- Most and Least Helpful in detailing safeguards to protect customer data stored electronically. Holy nonsensical results, Batman – check this out!
SOX was the most helpful to 28.1% in 2009. WHAT!!!! HOW? There IS no detail.
GLBA was the most helpful to 16.3% in 2009. See comment above.
HIPAA was the most helpful to 30.3% in 2009. Maybe you have no CLUE as a healthcare CISO, and you did a knee-jerk response on “your” compliance thingie. But really?
- Departments involved with this plan [breach response] to ensure that it is carried out properly. And HR is not even on the list. Internal folks don’t steal data?
So to bring this full circle with the opening paragraph and title of the post – did SC Magazine publish this useless bit of drivel to get some attention; in other words, use a “buzzword”? I say yes. For less “fluffy” infosec publishing, check out Bill Brenner and crew at CSO or Marcia Savage and the folks at Information Security. And yes, I know what they say about opinions.