Bruce Schneier, the guru on security, posted on the differences in information security breaches by type of industry. Schneier is referencing a scientific study of security breaches. This study was looking to see if there were major differences in types of breaches by industry. Professional Services is one of the industries highlighted.
Looking into the results of the study something struck me and it was not about the differences. The study utilized a negative conclusion approach, attempting to prove there were no differences and what actually struck me were the similarities. Schneier is always great about pointing out the obvious that is overlooked due to frenzy and fear. Most organizations spend their time and money on internet security reacting to media headlines about banks being hacked. However, these attacks are actually the lowest information loss concern for all industries. Here is where the similarities come in. The top breach concern is hardware loss (38%), then internal staff – malicious or not (35%) followed by internet attacks (22%). Logically, an organization should commit its security resources along these same lines. But fear and frenzy drive organizations to expend the bulk of their security effort on protecting against hackers.
While at the Utah State Bar when I would present on security (and the duty of lawyers holding client data), invariable everyone figured installing a firewall was information security. Given the actual threats to law firm information, firms and lawyers would be better off prioritizing their security by: 1) encrypting their hardware (especially laptops), then 2) establishing and following good information policies and procedures for staff, and finally 3) getting on top of firewalls, virus protection, etc.
By the way – The Professional Services industry did match the expected averages. Keep this in mind next time you worry about the security of client information in your possession.