There are lots of numbers to back up that statement. The Microsoft Security Survey for January through June showed 30.5 percent of all incidents it handled involved equipment theft, by far the largest category of threats to data. Information about breaches compiled by the Open Security Foundation's DataLossDB showed similar results. The disposal, theft or loss of equipment, media and paper documents represented 43 percent of all reported incidents. By itself, theft of all types accounted for 31 percent with stolen laptops the largest category at 19 percent of the total.
That lines up nicely with Microsoft's conclusion that malware incidents - hacking, malware itself and fraud - represent less the half the total of the categories that designate negligence - lost, stolen or missing equipment; accidental disclosure; or improper disposal.
At events, such as last week's user conference for tax and accounting firms held by Thomson Reuters, James has been telling attendees that physical security may require some expensive changes.He says many observers expect Massachusetts regulation 201 CMR 17.00, which went into effect in March, is likely to become a template for other state rules that govern businesses that keep personal information about customers on their computer systems and on paper.
That's where doors come in because of the requirements for physical security the regulation imposes on business.
The Massachusetts approach "requires the server room be locked," James notes. Since many businesses don't have server rooms, they will need them. Once there's a door to shut, the businesses then often need air conditioning systems to keep equipment cool. Firms also cannot allow non-IT personnel, for example the cleaning staff, into the server room unsupervised he noted, and would probably need to keep a visitor log. The regulations also affect paper records and because many firms built open file areas, "It requires a lot of the small firms to buy a door," he says.
Businesses must develop a security plan, which must be filed annually with the state of Massachusetts. They must also show that employees receive two hours of training per year. And the provisions don't just impact companies that have a physical presence in Massachusetts, it affects companies that have personal data about customers in Massachusetts.
In many ways, James says the requirements are so strict and detailed that they may be impossible to adhere to.