Issue link: http://read.uberflip.com/i/45522
THE SCOPE OF THE PROBLEM Here are some statistics about the rising costs of data- leakage incidents over the past four years, as shown by Ponemon Institute studies in 2007 and 2010: Average Cost per Breach 2007 = $6.3 million, up 43% since 2005 2009 = 6.8 million, up 5.9% since 2007 2010 = $7.2 million, up 7% since 2009 Average Cost per Record 2007 = $197 2009 = $204 2010 = $214 Other reports reveal common reasons for those losses to occur. Verizon's "2011 Data Breach Investigations Report," one of the industry's most respected annual reports, reveals many interesting data-loss prevention (DLP) statistics. Of the roughly 800 data-compromising incidents examined for the report: • Only half involved malicious hacking • 29% involved physical attacks • 16% were accomplished by insiders • 11% involved social engineering • 83% involved targets of opportunity, rather than ones singled out intentionally • 92% involved attacks that were not difficult to perform • 96% were avoidable by simple controls • 86% were discovered Let's take a closer look at the current state of our industry. During the 2011 ILTA conference, I took part in a survey conducted by Kraft Kennedy around information security in the legal industry. When I got the results shortly after the conference, a couple of items captured my attention: • Social engineering risks ranked high, with over 60 percent of firms regarding this as high or medium risk. I am impressed with this awareness because this is a real threat. • Both insiders and cloud providers ranked as high concerns for risk at 73 percent. Insider attacks on law firms have been in the news recently and certainly tend to make headlines when they occur. Dropbox and Amazon are a couple of examples of data storage and cloud services also making the news. If you still don't believe that these threats are real, then perhaps this will sway you. In July 2011, the Law Firm Risk Management Blog reported that in two prominent law firm-related insider trading cases, judges handed out jail terms. There have been a few more of these instances during the last several months: • The IT manager — charged with using his access to electronic firm documents to support almost two dozen trades — was sentenced to a year and a day in federal prison, to be followed by two years of supervised release. (This follows a previous $82,000 fine.) • The lawyer who pled guilty to going on internal "fishing expeditions" to find information supporting extensive insider trading was www.iltanet.org Risky Business 45