Data Breach Report: Most Incidents Could be Prevented by Security Basics

New Study Tracks Trends from Investigations of 500 Data Breaches Eighty-seven percent of major data breaches could have been avoided through reasonable security measures.

This is the conclusion of a new report from Verizon Business Security Solutions, analyzing 500 forensic investigations of data breaches. Financial institutions made up 14 percent of all companies included in the report, according to Dr. Peter Tippet, Verizon Business vice president of research and development.

The "2008 Data Breach Investigations Report" also shows that 75 percent of breaches are discovered by a third party, rather than the company or institution that was breached, and many of these breaches go undetected for too long.

Contrary to current belief that many data breaches are caused by insiders, Tippet and his team found that insider-caused data breaches only made up 18 percent, versus 73 percent caused by outsiders. "But that's also because we now consider partners (vendors) a discrete entity," Tippet says. "The partner connection and networks problem have grown five times in terms of problems and size."

"This aligns with institutions realizing that their networks extend to their partner's networks and other far-flung entities, acquisitions and customers," Tippet says. "It's clear that this is a huge and growing issue." The risk, he adds, works in both directions in that the small credit union or bank w/o adequate security also presents risks to their major outsourcers.

Another big piece of the partner/vendor problem is a factor that is overlooked by many institutions. "The company that controls the institution's HVAC system via computer controls or an off-the-wall system that isn't really part of the bank's business -- they're part of what keeps the bank running," Tippet says. Remote system administrators that are running in the background or are invisible on a bank's network "will be the ones to watch," he predicts.

Recommendations
The report recommends simple actions that reflect the basics of a sound, compliant information security program. Done diligently and continually - which they clearly weren't in the breaches that were studied - these steps can help keep banking institutions compliant and secure. Among them:

Alignment of policy and process.
In 59 percent of data breaches, there were security policies and procedures established for the system, but the measures were never implemented.
Create a data retention plan.
With 66 percent of all breaches involving data that a company did not even know was on their system, it's critical that a company know where data flows and where it resides.
Control data through network segmentation.
Investigators concluded that network segmentation can help prevent, or at least partially mitigate, an attack.
Monitor event logs.
The data logs need to be looked at continuously and systematically, and response initiated when an event is found. Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise.
Create an incident response plan.
If and when a breach is suspected, the incident response team must be ready to respond, not only to stop the data compromise, but to collect forensic evidence for future prosecution if needed.
Increase employee awareness.
Only 14 percent of data breaches were discovered by employees of the company that was breached, even though employees are the first line of defense in safeguarding data.
Employ mock-incident testing.
Ensure staff is well-trained to respond to a breach. Run drills and test people's abilities, judgments and actions during a mock crisis.

About the Study
This is the first of what is expected to be many reports from Verizon Business Security Solutions.

Verizon Business, which bought Cybertrust in 2007, merged all of the two companies' forensic teams and risk intelligence groups into one area. The risk intelligence group handles Internet intelligence gathering. With more than 1 millions sensors spread across the Internet's backbone, Verizon Business gathers more than a terabyte of information daily just from log data generated by these sensors.

"If you could know what places were attacked most frequently and you knew how much each thing cost, then you could make business decisions about security issues," Tippet says. "Nobody else in the computer security space has our network, and no one in the telecom network arena has our security set up. We operate on all levels of the stack."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.