In the midst of his riff on Amrit's anti-FUD lament, Alex at Risk Management Insight relates a story about an enterprise that installed a data leakage / content monitoring / extrusion prevention solution to evaluate data leakage throughout its organization. At the end of the trial, they made an important observation:
"If they were leaking all this data, where were all the incidents?"
The idea of "leakage" is a notion worth addressing in a world of mobile employees, outsourced business functions, and super-strategic partnerships where data is routinely shared across many traditional boundaries. It is pretty straightforward to identify a leak simply as a violation of policy - that is, sensitive data was shared when it shouldn't have been. Another type of leak is the nefarious one - when an employee is caught stealing information and transferring it to a competitor or using it for his/her own gain. The former is (anecdotally) the most common situation, but the latter is the most significant.
Alex continues his comments to discuss how frequency of incidents fit into the risk equation, and how these leakage events don't necessarily result in incidents where the information is used against the owner. (The parallel here with personal information is simply that loss of identity information doesn't necessarily lead to identity fraud.)
Of course, the notion of an incident and its corresponding loss function is trickier than is described here - while I don't subscribe to the whole mentality of massive, secret breaches HAPPENING RIGHT NOW EVERYWHERE!!!! and leading to significant losses WHILE WE REMAIN UNAWARE!!!! , it isn't hard to assert that some organizations are likely to be in this situation right now, and when that enterprise figures out that it has been breached, it will correlate its damage estimates with the duration of the breach (longer time, higher damages).
[Allow me to brainstorm briefly, because duration is an important point here - it may mean we'll need to differentiate between incidence and prevalence at some point in the future of information security.]
My point: Evidence matters. That is, we must continue to distinguish among the nature and types of incidents and corresponding losses. Policy violations may lead to losses like regulatory fines, but not necessarily abuse of data, which was the reason for the policy in the first place.
All of these issues, of course, point to the need for more quantitative, objective (oh, and causative) work being done to understand consequences in situations where "leakage" is the norm, not the exception. (Btw, DLP solutions are great for simply understanding the volume and usage patterns of sensitive data to get this information).
Update: Adam asks a great question in the comments. (Thanks for the links, Adam!). Here is an attempt at clarification:
As far as I can tell from reading the article, it makes precisely my (intended) point which I probably didn't make as well as I could have.
Let's see if I can clarify what I believe, and I haven't seen any data to refute these beliefs as of yet. (Nor have I seen great data that supports them, however):
1) There are undoubtedly lots of "leakage events" going on all the time. These are, by and large, occurring through "garden variety" policy abuse by employees and stolen laptops/PDAs; they are generally not malicious attacker events. Any of these cases might result in losses.
2) There is also much, much more information sharing going on that is considered legitimate by policy but also may end up resulting in losses.
3) Malicious attackers do not have a stronghold in every enterprise on the planet (unless you count employees as malicious attackers;-)). They are likely, however, to have compromised some relatively small proportion of organizations and these organizations don't know about it yet.
While I don't know this, I suspect a large (huge, really) portion of the "breaches" being reported in your article are of the policy abuse and stolen laptop situations. When I asserted my opinion above, I was talking about malicious attacker breaches of the TJX variety, though I wasn't clear in saying this.
In any case, the larger part of my post intended to suggest (and I believe Alex intended this as well) that even though leakage events occur frequently, it is not clear how much of this leakage is turned into losses like identity fraud, competitive market share, stolen customers, etc*. In addition, it is not even clear whether these leakage events create higher risk for an enterprise that is already sharing information in huge volumes.
* Note that the bulk of losses associated with these events revolve around notification, legal costs, and forensics analysis, and not around the losses mentioned previously.
Recent Comments