By Adam Dodge

Recently, the University of Texas, Pan American announced that a staff member lost an external hard drive containing names, address and Social Security numbers of around 1,200 UTPA staff. The good news for these individuals is that the hard drive was found by another UTPA staff member and there does not appear that any unauthorized individuals had access to staff information. However, reading over one of the initial news stories about this security incident brought a question to my mind.

In an article over at The Monitor, UTPA Vice President for Business Affairs, James Langabeer stressed that the loss of this external hard drive was only an “incident” and did not constitute a “breach” by an outside individual. According to Langabeer, “It is an incident, it’s not a breech. A breach is when someone takes something out of your computer and deliberately takes it from you. If you lose it, it’s an incident”

What I find so fascinating about this statement is that the distinction between incident and breach and that an “incident” should not be viewed in the same light as a “breach”. So I started thinking, is this distinction merely a semantic issue or are there some underlying assumption amongst the general public that an incident is an everyday, and perhaps less dangerous, occurrence then a breach. One of the words is a simple noun that brings to mind a singular event of some type that may or may not be harmful. The other word is more action oriented and brings to mind, at least to my mind, images of whales bursting through the surface of the water and other dynamic events. Given the very differences in these words, should they be used as interchangeably as they are in the Information Security arena?

I think that making a distinction between breach and incident in this manner is dangerous. While I believe there are indeed differences between breach and incident, I do not agree with the portrayal of each being separate from the other. Instead, a breach is a subset of the overall types of information security incidents that can affect an organization. Other types of incidents can include theft, loss, unauthorized disclosure, denial of service, mistakes, and a whole host of other issues that are too numerous to list. In the end, any occurrence that is contrary to current information security controls is, in effect, and incident. This means that any breach of information systems, past security controls, is in fact an incident.

One thing that we absolutely need to make clear as security individuals is that these “incidents” caused by internal employees are, at the very least, just as dangerous as “breaches” by external attackers. I have written a few times about the insider threat faced by organizations. Studies have continued to prove that internal employees cause a large majority of information security incidents. Yet, organizations still attempt to pass off employee misconduct as a lesser offense when in fact these are the very employees who both know where the information is and have direct access to this information.

However, in the end, whether caused by a “breach” or an “incident”, the loss and/or exposure of protected information is a signal to the organization that something is not working properly. This is what is important. We need to understand that it is not just about fixing the problem. Instead, it is about understanding why the problem occurred and creating controls to help prevent like occurrences in the future.

Unfortunately, it seems that more organizations are beginning to make this distinction in press releases surrounding security incidents.

About the Author Guest Blogger

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.