Taken In for Questioning: How Crime Statistics Can Help Spotlight SaaS Data Loss Risk

How can the approach taken by the brilliant statisticians at FiveThirtyEight start to make sense of confusing, contradictory crime statistics and help you raise awareness within your organization among those ignoring SaaS and cloud data loss risks? Can you help them take their assumptions in for questioning?

 crime scene statistics

Before I answer those questions, let me start with this one: what’s FiveThirtyEight? If you’re following the US Presidential primaries, you might be familiar with their work; if you follow sports, you may even use their predictions to help you win the office football pool. Nate Silver’s FiveThirty Eight was founded on March 7, 2008 as a polling aggregation website, and has since been a source of information for many, including the New York Times. Silver characterizes FiveThirtyEight as “a data journalism site,” and they have more than 2 million viewers.

The crime of “ransomware” and the need for backup have become a hot topic well beyond the IT security community, due in part to a recent ransomware attack on Hollywood Presbyterian Medical Center. In current news, Mac users are now vulnerable to ransomware. Given that, it’s not too far a stretch to look at a meta-analysis of crime statistics by FiveThirtyEight for insights you can use.

So how might we use FiveThirtyEight’s meta-analysis to persuade those within your organization who think SaaS vendors have data loss risk under control, to think again? Let’s look at four statements from FiveThirtyEight’s article, and correlate them to IT and SaaS scenarios.

“Crime statistics often are confusing, misleading and incomplete.”
IT industry analyst surveys and reports on SaaS data risk show similar gaps, even when you review multiple sources to understand what your risks may be. One rarely covered risk topic is the fact that SaaS vendors cannot protect “you from you,” or from accidental, malicious deletions, or overwrites from authorized users and admins.

“Official crime reporting is slow.”
It might surprise you (or not) that the reporting of SaaS data loss can be similarly slow. Within an organization, SaaS data loss might not be noticed for months. For example, an incorrect mapping during a migration may cause data loss that only surfaces after report results start to “look odd” over time, as in one case I heard during a SaaS user group meeting. Similar “slow reporting” issues have been discussed for inadvertent emptying of SaaS trash bins due to retention limitations, and for SaaS data loss due to shared folder deletions.

“Many crimes aren’t defined in a uniform way across cities.”
SaaS data loss risk is rarely defined in a consistent way. Much of what’s defined as risk is tool-and-process focused (vendor SLAs for uptime and their redundant system backups), or bad-actor focused (malware and malicious insider risk.) But few define SaaS data loss risk to include admin error, and so best practices often fail to include a plan to recover from those risks.

“Even when [law enforcement] departments are honest about what’s reported to them, we have no idea what isn’t.”
IT and SaaS application managers may not be aware of the extent of data loss. End users, for instance, who experience data loss to do a SaaS application sync issue may shrug, do rework, and chalk it up to technology, unless the error causes major business issues.

By applying the framework used in FiveThirtyEight’s meta-analysis of crime reporting to SaaS data loss risk, we can see how easy it might be for those within your organization researching SaaS to become overwhelmed by analyst reports and survey results. Using the FiveThirtyEight approach, we can take old assumptions in for questioning, and have an open dialogue with those who made SaaS data protection a low priority due to an incorrect perception of risk.

Still not convinced? Learn more about the “Top 10 Reasons You Need SaaS Data Protection.”

About the Author: Lori Witzel