“It is important to realize that the financial losses reported by companies as a result of data losses are just a drop in the ocean compared with the real losses which businesses bear on a daily basis,” said Alexander Zarovsky, Head of International Business Development, commenting on the results of the research. “We have recently observed an upward trend in media reporting of confidential data leaks, but there are grounds to believe that the number of ‘public’ incidents represents no more than 3–5% of the true number, and an even smaller number of companies indicate their financial losses. Taking account of all these factors, these tens of millions of dollars in losses turn into tens of billions – an enormous sum.”
InfoWatch analysts note that in calculating total losses, it is essential to take account of profit lost as a result of the incident, the cost of eliminating the consequences of leaks, and legal investigations, compensation payments, and so on. It is difficult to calculate and assess all costs which may arise as a result of criminal actions by staff, such as collusion, blackmail, or fraud, or costs linked to the theft and distribution of confidential information, for example banking secrets or commercial or financial information.
The introduction of security tools has had an impact on the ratio of accidental to intentional leaks, since existing tools available on the market are more effective against accidental incidents than against intentional leaks. According to the report, the percentage of accidental leaks has dropped: such leaks made up just 38% of incidents in 2012, while intentional leaks accounted for 46%. As before, the majority of leaks – 89.4% – involved personal data (this figure was 92.4% in 2011). Readily-available personal data is of interest to a wide circle of criminals as it can be sold on the black market. As such, this type of leak is widespread, and databases containing personal data can be sold to many buyers.
Commercial and government secrets are generally leaked ‘to order’, despite the fact that these organizations take information security very seriously and strive to comply with the requirements of the law and standards. With regard to the distribution of incidents by organization type, in 2012, commercial organizations were responsible for 41% of incidents, 5% fewer than last year, and the proportion of incidents occurring in educational organizations fell by more than half to 16%. Government institutions fared much worse in protecting information, accounting for 29% of information leaks, a substantial increase compared with the previous year.
The year 2012 was the year of leaks from government organizations. There has been a noticeable increase in the proportion of leaks which emanated from government sources, demonstrating that the public sector is not paying sufficient attention to the issue. There is a second, still more obvious, cause: the mass use of mobile devices (smartphones, laptops, and tablets), for which information security teams within government and municipal organizations around the world were clearly not prepared.
“According to InfoWatch analysts, last year government organizations became the ‘leaders’ in terms of the increase in confidential information leaks,” says Natalia Kaspersky, CEO of InfoWatch. “This trend shows that the level of information security in the public sector remains insufficient. Government organizations must pay more attention to information security considering the fact that these organizations handle information of high national importance, such as government secrets, confidential strategic information, etc. There are also huge volumes of personal data circulating within these organizations.”
The annual research carried out by InfoWatch Research Center is based on the company’s own database, which was started in 2006 and includes only incidents reported in the media and other open sources. This is the first time the analysts have encountered a different picture in different industries. Against the general background, banks, insurance companies, and telecom operators stand out: in these industries, the proportion of accidental leaks is steadily decreasing. With some slight reservations, this picture applies across the whole commercial sector. Analysts link this to the growing popularity of information security tools and means of monitoring information flows.
Gartner suggests that around a third of companies are already using DLP. Experts stress that the perception of DLP systems as software, capable of preventing leaks independently, without any involvement of the information security team, is fundamentally wrong. While DLP systems can adequately handle accidental leaks, preventing intentional leaks requires a significant consulting element during the development, integration, and support of systems, and particularly in investigating incidents which have occurred.
In the near future, we can expect changes in the way that DLP systems are perceived and implemented both by vendors and clients. As a result, the information security consulting sector will evolve, improving the information security culture of companies which use these systems. Over the next 3–5 years there will obviously be a reduction in 'typical' incidents – accidental and ‘inexpensive’ intentional leaks.