DATA PROTECTION WEEKLY SPECIAL EDITION

Each year since 2004, Verizon has released a Data Breach Investigative Report.  The 2012 Report (based on 2011 data) is now available.  The Report, which contains a compilation and analysis of reported breaches, should be of interest to business owners, insurers, auditors, security experts, and others involved in this field.  This Special Edition of Data Protection Weekly will provide you with several of the most important highlights of the Verizon Report.  Please contact me if you would like a complete copy of the Report.

The Report was based on 855 breached incidents, which resulted in 174 million records being compromised. Data for the Report was collected by Verizon, with contributions by the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the Police Central e-Crime Unit of the London Metropolitan Police.  Data breaches included in the Report came from 36 countries.  The Report recognizes that there is no way of knowing the total number of data breaches across all organizations in 2011.  Therefore, there is no way of knowing what proportion of all data breaches are represented in the Report.

Here are the highlights:

Demographics

The most effected industry is Accommodation and Food Services.  This industry was the subject of 54% of the reported breaches.  Next was Retail Trade at 20%, followed by Finance and Insurance at 10%, and Health Care and Social Assistance at 7%.  The remaining 9% were Information and Other.

A threat agent is classified as an entity that causes or contributes to a breach incident.  There can be more than one agent involved in any particular breach.  The Report breaks down threat agents into three categories, external, internal and partners.

External threats originate from sources outside of the organization and its network of partners.  Internal threats are those originating from within the organization.  Partners include any third parties sharing a business relationship with the organization.  The Report found that 98% of breach incidents involved external threat agents.  Internal threat agents were involved in 4% of incidents, and partners were involved in less than 1% of data breaches.

It should be noted that internal agents whose role in the breach was limited to a contributory error, such as an unintentional error that was not a policy violation, are not included.  Interestingly, only two years earlier, internal agents caused 48% of the data breaches.

Not surprisingly, organized criminal groups were behind 83% of all breaches.  External agents were motivated by money in 96% of the breaches.  They steal information they can turn into cash.  A final note on internal breach agents, the Report hypothesizes that many of these “insider” crimes go unreported because the organization is unaware of them, or because they choose to handle it internally for political or business reasons.

Hacking was involved in 81% of the breach incidents.  Hacking is defined as all attempts to intentionally access or harm information assets without authorization or in excess of authorization by thwarting logical security mechanisms.  Hacking is usually done remotely and allows the attackers the benefit of anonyminity.

Malware was involved in 69% of the attacks.  Malware is defined as any malicious software, script or code used for the purpose of compromising or harming information assets without the owner’s informed consent. Obviously, many attacks use a combination of hacking and malware.

Other categories of breaches included physical attacks, which require physical actions and/or close physical proximity, such as an ATM skimming operation, and  social tactics, such as phishing and elicitation, which involve deception, manipulation and intimidation to obtain data.

Many organizations allow their employees to use their personal devices for work purposes.  In years past, this might have only involved laptops.  Now, however, we are dealing with home computers, which connect remotely, tablets and smart phones.  More and more companies are involved in cloud computing.  The Report found that in 91% of the breaches, the breach involved a corporate owned asset.  Partner owned assets were involved in 16% of the breaches, and employee owned assets were involved only 1% of the time.  It will be interesting to see if the percentage of employee owned assets involved in breaches is higher next year as a result of tablets and smart phones being used more and more to access company data.

The Report qualified breaches by the level of skill needed to commit the breach.  Somewhat alarmingly, 89% of the breaches required only low or moderate skill.  This would appear to be connected to the finding that 79% of breach victims were targets of opportunity.  Looking at these statistics together, the lesson seems to be that a little security will go a long way.  In hindsight, 97% of breaches were avoidable through simple or intermediate controls.

While cyber criminals would appear to need a little more intelligence than the everyday burglar who steals a TV from your home, not much has changed about the criminal mind.  The criminal who steals your TV does so not to watch TV, but to turn that TV into cash.  The criminal who steals data, likely does not want the data, but rather the cash he can obtain through sale or use of the data.

If you make yourself easy prey, you are more likely to be the victim of a breach.  Don’t leave your front door open or unlocked.  A few relatively inexpensive security procedures, can greatly reduce the likelihood of your company being the victim of a breach.  If you are in an industry where data can easily be turned into cash, i.e., businesses that depend upon the use of credit cards and other personal information, you are more likely to be the target of a cyber criminal.