New research from the AIIM (Association of Information and Image Management) indicates that 26 percent of organizations have lost customer data in the past year — and those are the ones who know it.
The report, entitled Data Privacy – Living by New Rules, quantifies how serious the problem has become.
Drowning in Data Breaches
More than 36 percent of smaller organizations, 43 percent of mid-sized and 52 percent of large organizations have reported data breaches in the past 12 months. Factor in the number of organizations that don’t even realize they’ve had a data breach and the picture grows considerably worse.
Even more striking, organizations that depend most on Personally Identifiable Information (PII) — any data that could potentially identify a specific individual, be used to distinguish one person from another or be used to de-anonymize anonymous data — reported the highest number of incidents.
Data Breaches Quantified
If these findings sound familiar, they should. A December AIIM report published in CMSWire found that data breaches have been steadily escalating.
AIIM’s most recent report showed that 26 percent of organizations suffered loss or exposure of customer data, with 18 percent losing employee data.
In the wake of those breaches, 10 percent received action or fines from a regulator, 25 percent saw a disruption to business and 18 percent suffered a loss of customer trust.
What, Me Worry?
Bob Larrivee, Vice President of Market Intelligence for AIIM International, noted that one finding coming out of these reports is that despite warnings and media coverage of data breaches, security remains an only an abstract discussion point in most enterprises.
“It’s one of those things that we talk about all the time [as being] a concern but it’s [also] one of those things that is on the back burner until something happens. It is a reactive situation. Everybody [thinks that because they’ve] never had the situation before [they] must be doing a good job [but] then something happens and [everyone panics] and starts looking at ways to respond instead of planning … in the first place,” Larrivee continued.
Our Own Worst Enemies
Contrary to the common perception of data breaches coming from external sources, the research indicates that data breaches are more likely to be caused by internal threats than external hackers.
Nearly half of organizations surveyed experienced data breaches due to staff intent (19 percent), or staff negligence (28 percent), whereas only 13 percent suffered data losses from external hackers.
From Policy to Prevention
All told, nearly a quarter of respondents felt that senior management was not taking the issue of data privacy breaches seriously enough.
“I think that a lot of time [staff breaches are] non-intentional and have more to do with a lack of training or education than anything malicious,” argued Larrivee. “It stems from the availability of new technologies like file sharing apps,” he reflected.
Larrivee also points out that even putting an information governance strategy in place or a strategy that determines data access permissions is often not sufficient. “[When] you have all these polices and strategies in place, you need to train everyone [as to] what they [should be] doing and why they should be doing it,” he reminded. “Basically, [everyone] needs to be clear about what the policies are and why they need to [follow them]”
Larrivee holds out hope that a culture shift is taking place. He noted that more enterprises are aware of the need to deal with security breaches proactively by training staff and interacting directly with those who have been impacted by the leaks.
He cites the US Department of Health which posts details of patient-related data breaches online. “They only have to put it up when the breach [affects] 500 or more and breaches range from [document] breaches to laptops being stolen or misplaced. [Yet this is focusing attention] on how serious [the problem] actually is,” Larrivee stated.
The latest incident was only two weeks ago as a result of a lost lap top which impacted 28, 209 individuals. Before that there was a hack on January 14 of a network server with 20,764 individuals impacted, while on January 11 an email hacking incident was reported with 1,009 people impacted and the list goes on.
In one incident alone in November last a healthcare provider listed as OH Muhlenberg suffered a data loss from what is described as a hacking or IT incident that impacted 85,000 people.