Losing kit != losing data
Statistics etc blah blah blah.
Losing kit is bad, unless of course you lose your horrible laptop and get a shiny new one. But losing kit does not mean that any data has been lost.
However, anecdotal evidence would suggest that there is a correlation between the amount of sensitive data on board a piece of kit, and the likelihood that some idiot will leave it on a train/bus/backseat of taxi or in a pub loo.
In an organisation that I am quite familiar with, I know of a case that went like this:
- External party comes in to do some work
- CIO says 'no 3rd party laptops, no removable media'. Good man.
- External party takes data on a USB stick. Loses it. Mucho sensitive data on it. Fesses up.
- CEO 'appoints' CIO as data security officer, tries to sack him for security breach
- CIO has a fit and threatens legal action
- External contractor slapped across the wrist with wet bus ticket
- 'Reorganisation' a month or two later sees CIO role downgraded
So CIO was hoisted on a large petard as a scapegoat precisely because the organisation had failed to take data security seriously - until there was a problem.
but by then, said horse has bolted.
I'd like to see a study on how many cases are reported compared to how many there really are...