It's essential to keep abreast of surveys of security incidents. They provide a small glimmer of visibility on what's essentially a dark hidden area. There are a few reasons why we're kept in the dark. A lot of enterprises don't report incidents. Most don't keep track of them. And many simply don't know about them.
Last week, the Identity Theft Resource Center (ITRC) reported that the total number of incidents that could lead to identity theft on their 2008 breach list had already surpassed the final total of 446 reported in 2007. That's clearly an under-estimate for all of the above reasons. And each reported breach might have actually affected dozens of different businesses.
This trend will continue upward as we get better at detecting, tracking and reporting incidents. Espionage and fraud has been going on inside companies for decades, but it's largely undetected. I've always operated on the assumption that any call centre with valuable information will be riddle with people selling information, that any large procurement contracts will attract information brokers, and that any unencrypted transmissions of sensitive information can be read by governments. And I'm not paranoid, just streetwise.