Businesses need to be more proactive in their security,
says Verizon Business Security Solutions who has released results
of a survey that has found that nearly 90% of corporate data
breaches could have been prevented had reasonable security measures
been in place.
The
“2008 Data Breach Investigations Report” spanned four years
and more than 500 forensics investigations involving 230 million
records, and analysed hundreds of corporate breaches including
three of the five largest ones ever reported.
The survey found that 73% of
breaches resulted from external sources versus 18% from insider
threats and most breaches resulted from a combination of events
rather than a single hack or intrusion. Nearly two-fifths of
breaches were attributed to business partners, a number that rose
five-fold during the course of the period studied. Nearly two
thirds (62%) of breaches were attributed to significant internal
errors that either directly or indirectly contributed to a breach.
For breaches that were deliberate, 59% were the result of hacking
and intrusions.
Of those breaches caused by hacking, almost two-fifths were
aimed at the application or software layer compared with operating
system platform exploits which made up 23%. Less than a quarter of
attacks took advantage of a known or unknown vulnerability and
nine-tenths of known vulnerabilities exploited had patches
available for at least six months prior to the breach. A similar
number of breaches involved some type of unknown, such as including
unknown systems, data, network connections and/or account user
privileges. Worryingly, three-quarters of breaches are discovered
by a third party rather than the victimised organisation and go
undetected for a lengthy period.
“Security breaches and the compromise of sensitive information
are very real and growing concerns for organisations worldwide,”
warned Dr. Peter Tippett, vice president of research and
intelligence for Verizon Business Security Solutions. “This report
can help companies better
understand data breaches – how they occur and the commonalities
that exist. Most importantly, it urges organisations to be
proactive in their approach to security -- the absolute key to
safeguarding data.”
Verizon advised that companies align process with policy and
create a data retention plan. In addition, it advised firms to
control data with transaction zones and to monitor event logs. But
action was the key: in 59% of data breaches, the organisation had
security policies and procedures established for the system, but
these measures were never implemented.