Aucune remarque pour cette diapositive
Cf Livre Blanc Sophos
Slide objective: Highlight the sharp end of data loss incidents and the moment Chief Security Officer’s fear. Draw attention to the fact that publicly disclosed incidents of data loss are of course only the tip of the iceberg. The bulk of the iceberg is made up of:
Large numbers of unannounced Personally Identifiable Information (PII)* losses which can still have significant reputational impact with customers and partners
IP losses which can be very expensive for individual businesses but are not of interest to the wider public
Undiscovered IP losses will be happening all the time and the greater the business exposure to these losses the higher the risk of public exposure
Financial compensation cost also need to be considered:
1. if in breach of regulatory compliance e.g. Nationwide (security breach cost $2 million in fines) *1
2. if sued by other parties who suffer financial loss due to data loss negligence (e.g. US veterans and Heartlands class actions for data loss) *2
Ponemon Institute - The average cost of a data breach in 2008 grew to $202 per record compromised, an increase of 2.5 percent since 2007 ($197 per record). The average total cost per reporting company was more than $6.6 million per breach and ranged from $613,000 to almost $32 million.
The cost of lost business continued to be the most costly effect of a breach, averaging $4.59 million, or $139 per record compromised, the study says. Lost business now accounts for 69 percent of data breach costs,
Some additional facts we can speak to as part of this slide:
In the UK, online banking fraud losses from January to June 2008 totaled £21.4m ($31.3m) – a 185 percent rise on the 2007 figures, and 20,000 fraudulent phishing websites were set up – an increase of 186 percent.
December 2008, for example, the accounts of 21 million German bank customers were being offered for sale on the black market for 12 million euros by a hacking gang.
New incidents can be looked up here:
Personally Identifiable Information (PII)* is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.
Whilst the acronym PII is commonly used, there is no common or agreed use of the words from which it is created. Common variants are personal identifiable information, personally identifiable information, personal identifying information, and personally identifying information. Nevertheless there should be a clear distinction between the identifying block (personally identifying information) and the identifiable data relating to an individual (personally identifiable information).
*2 http://www.securityfocus.com/brief/899 (Heartlands class action) & http://www.eweek.com/c/a/Security/Veterans-Sue-VA-over-Data-Loss/
4 out of 5 companies have lost confidential data when a laptop was lost
10% of all notebooks get stolen/lost annually
1 in 2 USB drives contains confidential information
70% of all company data are stored redundant on Endpoints (notebooks, USB sticks) not only on servers
Top - reason for data breaches in Enterprises: 35% based on lost/stolen notebooks
Cf Livre Blanc Sécurité Cloud Computing (Syntec)
Eviter les vols opportunistes
La majorité des vols seraient le fait du personnel lui-même
C’est différent si l’employeur met en œuvre un dispositif de surveillance de l’activité de ses salariés (contrôle de la messagerie, des sites Internet consultés...)
Il y a aussi des risques juridiques avec l’utlisation des logiciels piratés