Monday 16 February 2015

Data breaches: an unhelpful headline from the IT security press

A headline caught my eye in the latest edition of SC Magazine. Evidently, the UK has been named and shamed as Europe’s worst country for data breaches.

It may be a catchy headline, but it belies the facts. The article focused on a report published by Gemalto, drawing attention to significant data breaches during 2014. It focused on 1541 breach reports that, in total, affected over 1 billion records.

The article’s headline simply referred to a statistic, buried away on page 7, indicating that in terms of the number of separate incidents reported, there were more reports from UK organisations (117) than from any other country in Europe. Germany, for example, reported 7 incidents. The French had 9 incidents, the Italians 3 and Poles only 2. Nobody was shamed. Not even the countries that reported hardly any incidents.

Need I say more?

I think it would be more helpful just to highlight the point that British organisations were more likely to report data breaches to the researchers than organisations in other European countries.

So what lessons can we learn from this report?

Very few, actually – as its so hard to accept that the raw breach reporting data is credible.  It was collected from “pubic sources” – whatever those were. While it makes great reading if you’re after a few horror stories to use in presentations that seek to justify additional expenditure on encryption and control access for users, the document doesn’t purport to be an authoritative study on the breaches that are currently being experienced.

Indeed, Gemalto helpfully emphasises that it “makes no representations or warranties regarding this information and is not liable for any use you make of it.”

But don’t let that disclaimer put you off reading it. 

Just take the headlines from the IT security press that purport to report on the document with a healthy dose of scepticism.