Data breach research
Verizon business has released a first of it’s kind study (Press Release) on data breaches. They reviewed over 500 investigations on hundreds of corporate breaches. Their results were surprising:
73% were from external sources, while only 18% were insiders. 39% of the breaches were because of business partners. However, within the internal sources, they were broken down into 50% of breaches were caused by the IT admin, and 41% by employees (I guess the IT admin doesn’t count as an employee?). Within the Business partner category, 57% of breaches were from a partner asset or connection.
Whoa – you mean a company could break into my system through a business partner’s system? </sarcasm> A lot of people (and companies) don’t realize this. They don’t verify the security of the third parties they deal with. This is very important to evaluate, especially if the business partner has access to your data – even if it stays on your network.
This is a first of it’s kind report, and it will probably be one of the few, as companies do not make this information public, so only investigators have access to this kind of data.
The research was done by the Verizon Business Investigative Response team on cases that they were directly involved with over 4 years (2004-2007)
The report is fairly short, and only includes aggregated data, but it’s well worth reading to see what “really” happens. What I’d like to see is a better breakdown of their client demographics – like company revenue rather than just company type and size.
2 thoughts on “Data breach research”
Laura: Legally speaking, what is “reasonable security?” FTC punished TJX for not having it, but FTC was wrong. Verizon says 9 of 10 data breaches could have been avoided if “reasonable security” were present. That implies 9 in 10 breach victims were in violation of law. The study’s outlook is that the solution to identity theft is locking down corporate data. But a security consultant/solution provider like this Verizon unit naturally sets a high bar for what is reasonable. And when Verizon evaluates if reasonable security could have prevented a break-in, it does so with benefit of hindsight. Yet the study goes on to say that in modern systems knowing where all your data reside is “an extremely complex challenge.” In other words, the shere problem of locating data (so you can apply security) is very expensive, and mistakes by data-holders who act in good faith are easy. The reasonable measures expected by FTC and Verizon are extravagantly hard to implement in practice. Hence, the portion of incidents preventable by FTC/Verizon’s reasonable procedures is much lower than 90%. We need to focus more attention on other solutions to identity theft. —Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html
Comments are closed.