It's 3:57 a.m. and two thieves, Elroy and Leroy, just smashed in the back window of one of your remote offices. Using the bare minimum of lights left on when the cleaning crew left hours ago, they're in your business looking for things they can easily resell on the street to get a little money for a bad meth habit. In your office, Elroy spots two things that grab his eye: 1) a 50-inch plasma screen that your engineers use when demonstrating your newest whiz-bang technology and 2) a laptop left in an unlocked filing cabinet in an unlocked office. He's got to make a choice quickly on what to grab; he knows that thanks to your contract for alarm system monitoring, the police are probably only 15 minutes away.
If the pair slugs that plasma screen out the office, you're out about $2,500 to replace it. The laptop is an old Dell X200 worth about $240 on eBay. It is on its last legs, but a database admin uses the laptop when she's working in the office, and it happens to have an unencrypted merged database of employees from HR as well as a current database of your new customers' credit applications. If Elroy and Leroy grab the old laptop, you might not know it, but you could be out millions.
Do these kinds of scenarios keep you up at night? If not, when you look at the recent costs of data breaches, as reported in major news media, they should.
First, our apologies to your sleep therapist, but in the last day, we received two very interesting tidbits of information that can help keep you up at night. The information included one well compiled tool from Darwin Professional Underwriters that seeks to give estimates on the cost of data security breaches. It handily estimates things like legal fees, your cost to provide post-incident credit monitoring for your employees, call center costs, certified mail notifications, and a lot more. The shocking thing about this calculator is how quickly the business costs of a data breach can add up.
The second item of business is a report released this week from the Identity Theft Resource Center, which compiled a list of 76 data breaches (using news reports) that have occurred just in the first quarter of 2007. What will worry you again (Tylenol PM should sponsor this news, I think, especially since it coincides with Friday the 13th) is that it's not soley small companies who don't have enterprise security programs in place who are being affected. It is companies and organizations like Medicaid, U.C.-San Francisco, WellPoint, Fruit of the Loom and a lot of other big names.
Now, in response to this, I'll probably receive press calls from a dozen network security device and software vendors telling me how their unit will block hackers. However, it seems that more often than not, there was a physical security breach involved such as a card skimmer or a stolen laptop. There is only so much that CCTV andÂ national account monitored intrusion systems can do. In response, if any of you would like to share general rules and policy regarding laptops and physical IT assets, I'd be happy to share those with the group. Email me via firstname.lastname@example.org.