Evan Schuman has an intriguing blog post on the McAfee blog about whether the reduced number of data breach reports at DataLossDB.com are indicative of fewer actual data breaches. His answer is unequivocally “No.” His reasoning is as follows:
- Media outlets are less interested in data breaches and therefore not publicizing them as frequently.
- Retailers, banks, and hospitals (etc) are getting better at hiding breaches.
- Lawyers are getting better at skirting disclosure laws.
- Even if the number of breaches are lower, there are (or may be) larger numbers of cards/records being compromised.
- Retailers (et.al. I assume) don’t know about some breaches and therefore can’t report them.
I have a hard time understanding how Schuman can be so sure when he offers essentially zero evidence for his assertions. The approach seems ripe for confirmation bias.
Strangely, Schuman then has this to say:
All of those excuses aside, we can now get to the core issue. Are retailers better protected today? Have they learned their lesson and are they actually running more secure networks than before? The answer to that question, as narrowly phrased, is “Yes, absolutely.” But it’s more along the lines of “Retailers were two percent effective against data thieves before and today they’re nine percent effective.” They’re certainly more secure than they were, but they aren’t even close to being sufficiently secure.
This is confusing to me. If I am reading him correctly, Schuman devotes half of his blog making assertions that data breaches are not going down, and then shoots it all down with this paragraph, where he asserts (unknowingly, I suppose) the opposite. I don’t know how he can believe breaches are continuing at the same clip if retailers are also getting better at security.
The only “out” I see is to say that although vulnerability levels are lower, they are more than offset by increasing threat levels.