Verizon Business just posted the results of their 2009 Verizon Business Data Breach Investigations study this morning. This is Verizon Business’ second annual study, and it highlights some interesting – and unfortunately not surprising – statistics. Of the 285 million compromised records that Verizon studied, 93 percent occurred in the financial services sector (keep in mind that laws require those companies to report every breach, so that number will naturally be higher).
Believe it or not, a staggering 90 percent of these compromised records involved groups engaged in organized crime. The fear of the “cyber bad guys” is not paranoia – they are out there and they are actively infiltrating the core systems of the world’s largest enterprises.
Two findings in particular stood out to me:
- In 69 percent of cases, the breach was discovered by third parties. The ability to detect a data breach when it occurs remains a huge stumbling block for most organizations. Whether the deficiency lies in technology or process, the result is the same.
- Being PCI-compliant is critically important. A staggering 81 percent of affected organizations subject to the Payment Card Industry Data Security Standard (PCI-DSS) had been found non-compliant prior to being breached.
Despite efforts to comply with a multitude of government regulations and mandates, organizations still struggle with security breaches. I believe a major contributor to this is that many companies are still in the mode of “checking the box” to meet compliance requirements – which in many cases means doing the minimum to get by. To truly protect themselves from the threat of breaches and fraud, companies need to put strategies and process in place that focus on understanding and mitigating IT risk, with a side benefit being the ability to achieve and maintain compliance.
The detailed report offers practical advice from the Verizon Business RISK team for organizations trying looking to mitigate their IT risk. Several focus on identity governance best practices, including:
- Change Default Credentials. More criminals breached corporate assets through default credentials than any other single method in 2008. Therefore, it’s important to change user names and passwords on a regular basis, and to make sure any third-party vendors do so as well.
- Avoid Shared Credentials. Along with changing default credentials, organizations should ensure that passwords are unique and not shared among users or used on different systems. This was especially problematic for assets managed by a third party.
- Review User Accounts. Years of experience suggest that organizations review user accounts on a regular basis. The review should consist of a formal process to confirm that active accounts are valid, necessary, properly configured and given appropriate privileges.
- Assure HR Uses Effective Termination Procedures. The credentials of recently terminated employees were used to carry out security compromises in several of the insider cases this year. Businesses should make sure formal and comprehensive employee-termination procedures are in place for disabling user accounts and removal of all access permissions.
The report’s press release headline says it best. Most breaches are avoidable if proper precautions are taken. Not doing so can cost companies millions in theft, added cycles to identify and correct breaches, and even more in lost trust and brand value. This truly needs to be more than a check-box exercise.