Data Breach Report: Most Incidents Could be Prevented by Security Basics
New Study Tracks Trends from Investigations of 500 Data Breaches Eighty-seven percent of major data breaches could have been avoided through reasonable security measures.This is the conclusion of a new report from Verizon Business Security Solutions, analyzing 500 forensic investigations of data breaches. Financial institutions made up 14 percent of all companies included in the report, according to Dr. Peter Tippet, Verizon Business vice president of research and development.
The "2008 Data Breach Investigations Report" also shows that 75 percent of breaches are discovered by a third party, rather than the company or institution that was breached, and many of these breaches go undetected for too long.
Contrary to current belief that many data breaches are caused by insiders, Tippet and his team found that insider-caused data breaches only made up 18 percent, versus 73 percent caused by outsiders. "But that's also because we now consider partners (vendors) a discrete entity," Tippet says. "The partner connection and networks problem have grown five times in terms of problems and size."
"This aligns with institutions realizing that their networks extend to their partner's networks and other far-flung entities, acquisitions and customers," Tippet says. "It's clear that this is a huge and growing issue." The risk, he adds, works in both directions in that the small credit union or bank w/o adequate security also presents risks to their major outsourcers.
Another big piece of the partner/vendor problem is a factor that is overlooked by many institutions. "The company that controls the institution's HVAC system via computer controls or an off-the-wall system that isn't really part of the bank's business -- they're part of what keeps the bank running," Tippet says. Remote system administrators that are running in the background or are invisible on a bank's network "will be the ones to watch," he predicts.
Recommendations
The report recommends simple actions that reflect the basics of a sound, compliant information security program. Done diligently and continually - which they clearly weren't in the breaches that were studied - these steps can help keep banking institutions compliant and secure. Among them:
About the Study
This is the first of what is expected to be many reports from Verizon Business Security Solutions.
Verizon Business, which bought Cybertrust in 2007, merged all of the two companies' forensic teams and risk intelligence groups into one area. The risk intelligence group handles Internet intelligence gathering. With more than 1 millions sensors spread across the Internet's backbone, Verizon Business gathers more than a terabyte of information daily just from log data generated by these sensors.
"If you could know what places were attacked most frequently and you knew how much each thing cost, then you could make business decisions about security issues," Tippet says. "Nobody else in the computer security space has our network, and no one in the telecom network arena has our security set up. We operate on all levels of the stack."