According to security firm Rapid 7, approximately 94 million personal files of Americans have been exposed by government agencies since 2009 – those that we know about, that is.
There are likely even more, given the fact that many states do not require agencies to report breaches.
As to the Feds: According to a recent Government Accounting Office (GAO) report, 18 of 24 surveyed Federal agencies had poor security controls, deemed not of sufficient standards for securing our personal information.
Private business has nothing to brag about either. Breaches were up 58% in 2011 over 2010, and 2012 will beat last year.
None of this surprises me: From a recent visit, I know for certain that a certain high-profile Fortune 100 firm simply does not enforce their policy requiring all users to log out of computer systems at end-of-day, or during extended absences from their desks/work areas. It’s rather extraordinary: People who are gone for the day remain logged in throughout the office, with a variety of proprietary, confidential, client, and personal information displayed. So much for systems that employ individual and group securities, and associated access/enablements. (Lest anyone wonder why automatic logouts are not employed, I wonder too).
IdentityForce ™ estimates that 86% of data breaches are not IT-related (that is, due to faults within IT systems, processes, or protections), but rather are due to remises of policy and training.
It has always been my view that matters of human error, and simple lack of care, are the better part of so-called “breaches” – and in those instances are better described as data exposures. Regardless, organizations seem to be at increasing risk, rather than decreasing, for allowing sensitive data to reach the wrong parties.
Is your organization at risk? It’s time for a survey – even if you feel you’re fairly tight. Survey your environment, and you can pretty much figure that your Acceptable Use, Security, and Disaster Recovery plans, policies and postures are due for modernization and updating.
Then train your personnel for appropriate behaviors and contingencies… essentially, today, everyone should be a virtual security officer…
Keep this important BTW tenet in mind: In the realm of risk, unmanaged possibilities become probabilities.