Was 2012 a big year for IT security breaches?

Whilst I don’t have quantitative information on exactly how many data breaches there were during 2012.  However, during this period, there were many prosecutions, enforcement notices and monetary penalties issued by the ICO (UK Information Commissioner's Office).  These included a record monetary penalty of £325,000 for a hospital in the UK where discs containing patient data were sold on the internet , a penalty of £150,000 for Greater Manchester Police where an officer lost an memory stick with unencrypted information relating to more than 1000 people linked to serious crimes, and a penalty of £120,000 was issued to council where sensitive information about a child protection legal case was emailed to the wrong person.  There have also been a number of cases of Hacktivism and a worrying trend towards "ransom ware" – and example being where extortionists encrypted patient data belonging to an Australian hospital and demanded $5000 to restore access.

Does this mean that the IT security industry losing the battle against the hackers?

In terms of IT security technology there is a continuing arms race. As new kinds of security are developed the criminals find alternative tools, tactics and procedures to overcome these.  This challenge needs to be considered against a wider scope than one of technology.  As long as criminals can make money at – what they consider to be an acceptable level of risk – they will continue.  The challenges include the lack of consistent laws and enforcement across the globe and the ability of criminals to process and bank their ill-gotten gains.  As an example of this Sophos was able to trace the gang behind the “Koobface” malware but there was no chance of being able to prosecute themin the UK.

What are the biggest IT security threats facing companies in 2013?

The single biggest threat is getting the owners and holders of information to recognize its value and their responsibilities.  What is needed is a much greater degree of “information stewardship” to take appropriate care of information – to treat it like money.  The examples from the ICO show that there are still too many organizations that fail to take adequate care of the information they hold.  In addition cyber criminals often seem to be better at recognising the value of information than owners.   The cyber criminals are evolving their tools, techniques and processes to focus their attacks on the highest value targets.  So organizations need to guard against and prepare for these kinds of event.  This means a change of culture as well as applying the best technology.

The KuppingerCole advisory note: From Data Leakage Prevention (DLP) to Information Stewardship – 70587 provides more details on this subject.  This subject will also be covered at the European Identity & Cloud Conference held in Munich during May 2013