Home » Identity & Access » Identity Theft

News

Report: Basic Security Lapses Spark Most Data Breaches

Verizon Business reviewed more than four years of data breach cases and found that most wouldn't have happened had basic security measures been in place.

By Bill Brenner, Senior Editor

June 13, 2008 —

Security experts often emphasize the growing sophistication of malware attacks as the reason so many organizations have suffered a data breach. But a new data breach report from Verizon Business suggests nine out of 10 breaches wouldn't have happened had basic security policies and technologies been in place.

The report is based on a review of data breach cases Verizon Business and Cybertrust (acquired by Verizon last year) investigated over a four-year period. The company reviewed more than 500 forensics investigations involving 230 million records and hundreds of corporate breaches, including three of the five largest ones ever reported. Among the findings:

Most data breaches were caused by external sources.
Thirty-nine percent of breaches were attributed to business partners, a number that rose five-fold during the course of the period studied.

Most breaches resulted from a combination of events rather than a single action.
Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.

Of the breaches caused by hacking, 39 percent were aimed at the application or software layer.
Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.

Nine of 10 breaches involved unknown systems, data, network connections and/or account user privileges.
At the same time, 75 percent of breaches were discovered by a third party rather than the victim and went undetected for a long time.

Bryan Sartin, vice president of the investigative response team at Verizon Business, said the biggest takeaway, in his opinion, is that companies have to be much more careful about the access they give to third parties such as contractors and business partners.

"I see this as one of the biggest problems," Sartin said in a telephone interview. "Companies are doing more business with third parties and giving them direct access to the network without keeping an eye on what these people are up to."

Evert Ramon Krikken, a security and risk management strategies analyst with Midvale, Utah-based Burton Group, said he's not surprised by the third-party factor. Noting that a large percentage of those studied for Verizon's report were retailers and those in the food and beverage sector, he said, "These businesses are very dependent on third parties for credit card processing."