Most Data Security Breaches Avoidable, Study Says

MBA (6/12/2008 ) Palaparty, Vijay
Nearly nine out of 10 corporate data breachescould have been prevented had reasonable security measures been in place, according to a report from Verizon Business, Basking Ridge, N.J. The report also said 73 percent of breaches resulted from external sources versus only 18 percent from insider threats.
"Security breaches and the compromise of sensitive information are very real and growing concerns for organizations worldwide," said Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions, which conducted the study.

Moreover, the report revealed that 59 percent of data breaches involved organizations that already had established security policies and procedures for systems but were never implemented. Additionally, though breaches attributed to insiders were fewer in number, they had a larger negative impact than those caused by outsiders, the report said. Thirty-nine percent of breaches were attributed to business partners, a figure that increased five-fold during the course of the four-year study period.

“Most breaches resulted from a combination of events rather than a single action,” said the report, titled 2008 Data Breach Investigations Report. “Some form of error often directly or indirectly contributed to a compromise. In terms of deliberate action against information systems, hacking and malcode proved to be the attack method of choice among cybercriminals.”

Sixty-two percent of breaches were reported as a result significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent resulted from hacking and intrusions. Thirty-one percent of breaches incorporated malicious code, 22 percent exploited a vulnerability and 15 percent were due to physical threats.

Ninety percent of known vulnerabilities exploited had patches available for at least six months prior to the breach, the report added. But 66 percent of breaches involved data the victim did not know was on the system. Furthermore, 75 percent of breaches were discovered by a third party and not the victim.

“Most breaches go undetected for quite a while,” the report said. “Attacks tend to be of low to moderate difficulty (83 percent) and largely opportunistic (85 percent) in nature than targeted. Due, in part, to these reasons, investigators concluded that nearly all breached would likely have been prevented if basic security controls had been in place at the time of attack. In the modern organization, data is everywhere and keeping track of it is an extremely complex challenge. The fundamental principle, however, is quite simple—if you don't know where data is, you certainly can't protect it.”

The financial services sector revealed good protection compared to other industries, accounting for 14 percent of breaches. The retail and food and beverage industries accounted for more than half of all cases.

International incidents were also reported to be on the rise. Attacks from Asia, particularly in China and Vietnam, often involved application exploits which lead to data compromise. The Middle East often originated defacements and Eastern Europe and Russia were commonly associated with compromising point-of-sale systems.

"As the world becomes more interconnected through information technologies, as enterprises aggressively seek global partnerships and as the laws governing the handling and disclosure of such incidents mature, it is likely that this upward trend of international data breaches will continue," the report said.

The report emphasized implementing security policies and procedures for systems. It also said organizations should create a data retention plan, helping them know where data flows and where it resides.

The report also said transaction zones could aid in controlling data. “Investigators concluded that network segmentation can help prevent, or at least partially mitigate, an attack. In other words, wall off data when and where appropriate,” the report said.

Monitoring event logs, creating an incident response plan and increasing awareness were also suggested.

"This report shows it's not about clever or complex security protection measures,” Tippett said. “It really boils down to doing the basics from planning to implementation to monitoring of the data."