Breach Meters, Security Awareness, and Lost Paper

What does a “Breach Meter” look like? I’ve just been debating this question with a colleague. He imagined something related to clothing (i.e. a pair of breaches) and suspected that a valid measurement would be something along of the lines of “two buttocks to the arse.”

I think he’s wrong. A Breach Meter most likely resembles one of those Blue Peter appeal-ometers. A sort of large old-fashioned style mercury thermometer and not like one of these new useless strips of plastic that you put on your forehead to get a body temperature reading. They don’t work. Last time I tried one the reading indicated that I was clinically dead. My wife told me that I couldn’t be because she still had no money and there was a pair of freshly discarded socks on the floor.

Anyway, I digress. A “Breach Meter” is actually a device used by the ITRC – The Identity Theft Resource Centre. They don’t, however, show us a picture of what one looks like. But they do tell us that it has now reached 342. This is apparently very bad, and 69% more than the same period in 2007.

Such data is always interesting to read and makes for a good message reinforcing the need to continue our focus on data security governance. One of the more interesting, but often overlooked statistics, is that nearly 20% – a fifth – of data breaches relates to paper rather than information lost or stolen electronically.

When paper goes missing then you can be almost certain that the information it contains has been read by somebody and that it can be very easily copied and redistributed. When it’s an electronic device (39%) then you can only suspect that it might have been. In most situations it probably hasn’t but we report it as a data breach anyway.

This highlights the need to keep on bashing out the statement that information security is not just an IT subject.

How many people are there in your security team? This question was recently posed in a presentation given by one of the people I respect most in the security industry, Martin Smith, of The Security Company. The correct answer is that the number should equal the number of people in your whole organisation. Unless everybody is on the receiving end of security awareness messages then expect to find yourself adding to the Breach Meter statistics sometime soon.