Study: Mistakes, Not Insiders, to Blame for Most Breaches
2008 was a banner year for security breaches, according to new research from Verizon. And while many security vendors have been banging the drum about the threat of malicious insiders, this report indicates organizations should be more wary of outside attacks (Read Senior Editor Bill Brenner's take on the insider threat in Laid-off Workers as Data Thieves?)
The "2009 Verizon Business Data Breach Investigations Report," released this week finds that hackers continue to intensify and sharpen their efforts to steal sensitive data. In fact, more electronic records were breached in 2008 than the previous four years combined. The study's authors said the upswing is fueled by a targeting of the financial services industry and a strong involvement of organized crime. Corporations fell victim to some of the largest cybercrimes ever during 2008, noted the report (Get tips on surviving a breach investigation in 5 Ways to Survive a Data Breach Investigation).
The findings debunk the motion that insiders account for the biggest threat to security in most organizations and instead finds that 74 percent resulted from external sources. Only 20 percent were caused by insiders.
The study, the second annual conducted by Verizon, is based on data analyzed from Verizon Business' actual caseload comprising 285 million compromised records from 90 confirmed breaches. The financial sector accounted for 93 percent of breaches, and a staggering 90 percent of these records involved groups identified by law enforcement as engaged in organized crime.
The research authors also noted that the investigation found most breaches were avoidable. Nearly nine out of 10, 87 percent, were considered avoidable through simple or intermediate controls. A staggering 81 percent of victims were not Payment Card Industry (PCI) compliant.
Another finding that may surprise some is that 99.9 percent of records were compromised through servers and applications, not from user sources often associated with data leaks, such as desktop PCs and mobile phones. Highly sophisticated attacks accounted for only 17 percent of breaches and 83 percent of attacks were considered to be what Verizon termed as "not highly difficult" to pull off. However, the study authors also note that while the percentage of sophisticated attacks was small, they accounted for 95 percent of the total records breached.
» posted by ITworld staff
CSO
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
data breach
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Data Breaches Due Largely to Lagging Business Culture
Most companies enjoy “security” insofar as they haven’t been targeted, or had an employee make a human error with catastrophic exposure. Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture – absent new eCulture, breaches will, and continue to, increase. As CIO, I’m constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome – or propagate one.