Tuesday, 10 July 2007

Education, education, education

I did a lot of Maths when I was younger (that's 'Math' for my American readers, sorry for the language barrier). I did GCSE Maths a year early, then Additional Maths and Extra Maths the year after. 2 years later for A-levels I did Maths and Further Maths, topped off with a side helping of Physics, which I then went on to study at University. Anyone still reading?

Despite this, I am a fairly rounded individual. Slightly more rounded than I'd like right now in fact, but the Spanish like to produce pork-based products and I like to eat them. What none of this meandering tells you is my complete inability to work with statistics. Perhaps this is why I am in awe of Alex Hutton so regularly, with his swift analyses of risk, percentages and pie charts. Mmm, pie...

Actually, I think it's a book my Dad had when I was younger, I can still remember it vividly, called "How to lie with statistics". I was not prone to lying as a child, and so my aversion to statistics was germinated. What I can do quite well as a result is spot when someone is trying to pull the wool over my eyes with stupid made up figures, self-serving clap-trap and pointless pontification. I urge you read my post on PCI Answers about some of this type of gratuitous balderdash served up by no less an institution than our very own RSA. It's all gone downhill over there since the storage monkeys took over.

So, imagine my delight when Walt Conway of Walter Conway Associates got in touch through this very blog and sent me some statistics of his own. First of all, I have 3 points to make here:

1. Walter was incredibly polilte, even apologising for emailing me directly, when I was really happy to have contact with someone so obviously involved and interested in his field.
2. Walter is experienced. Far more so than I. His research is the most thorough I've seen in, well, ever.
3. People pay VERY good money for this kind of research, and he sent it to me for free, then told I could say what I like about it.

This is either an incredibly kind hearted, generous man who has probably already made his fortune and now wants to give back to the security community, or a crazed lunatic trying to make a point by emailing bloggers with low readership. Seeing as how Walt works in Higher Education after 30 years in Financial Services, I will assume the former until he comes at me with a pitchfork.

So, back to the research... it quite simply turns "received wisdom" (pronunciation key: sales bullshit) on its head. Walt has analysed 666 (spooky) breaches made in the last 7 years (I didn't even know there were that many). And the results look nothing like what we've been told.

Some of the best stuff lies in his table of statistics:

Source of AttacksBusinessEducation GovernmentMedical Total
Inside - Accidental16%22%33%15%22%
Inside - Malicious6%4%4%8%


Hmm... 72% of attacks come from where? OUTSIDE? But... but... the salesman told me it was INSIDE! For those who don't believe, read the report which Walt has put together. He even tells you what qualifies as internal and what qualifies as external, so don't go berating me for that.

It's gold dust. I'm still reading the report and looking at the statistics for little nuggets. 2 things which made me chuckle:

1. 33% of breaches in the government sector are accidental. Holy crap! Who let Dubya loose on the servers?

2. 8% of medical attacks are malicious internal ones - more than any other industry. Well, you can't trust doctors these days can you? If they're not stealing your medical records, they're out blowing up airports.

But, statistics out of the way for a moment. The largest problem being faced today, hands down, across all sectors? Laptop theft. After this, things look pretty tame except in education, where hacking is still rife. This is the point of Walt's report, so I'll let you read it and draw your own conclusions.

But you know why people are stealing laptops? Because they want your valuable data? Nah, it's because they can. Most thieves are opportunists, always have been, always will be, and, as always, human behaviour is the thing we must protect against, and educate.

No comments: