Data breaches have become so common that it's easy to overlook them. There were 781 known data breaches in 2015, according to the Identity Theft Resource Center, enough to read about mistakes being made twice a day if the media chose to write about every incident. Websites like haveibeenpwned.com list dozens of breaches affecting high-profile websites.
Almost anyone active online for a few years is likely to have received multiple breach notifications. So many businesses get hacked or reveal data through inattention that the details become a blur.
The potential threat posed by insiders is well known, even if employees, contractors, and partners don't represent the most significant threat vector. According to Verizon's 2016 Data Breach Investigations Report, 172 data breaches around the world last year were attributable to insiders and privilege misuse out of 2,260 breaches analyzed.
Privacy Rights Clearinghouse's database of data breaches suggests a relatively small percentage of breaches happened as a result of insiders: 13 out of 229 listed from 2015. Since the cause of many breaches is not publicly known, insider involvement could be greater.
Perhaps because so many attacks come from the outside, IT executives don't show much concern about the risk associated with third-party access to secure systems. Soha Systems, a provider of enterprise access management services, recently conducted an online survey of 219 IT professionals in the US, and found that only 2% of them saw third-party access as a top priority in terms of IT initiatives and budget allocation.
That's not entirely surprising. As a police force isn't likely to see its own people as its most pressing concern, IT professionals can be expected to look outside their organization and partners before turning their attention inward.
But Soha suggests more attention should be directed inwardly because "third parties cause or are implicated in 63 percent of all data breaches." That figure comes from a 2013 Trustwave report: "The majority of Trustwave's investigations (63%) revealed that a third party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers."
Soha's findings perhaps overstate the disinterest of organizations in the security of the companies they work with. A BitSight Technologies Study, conducted by Forrester Consulting from March, 2015, found that third-party security represented a top business concern among enterprises.
Reconciling various vendor-backed studies to reflect the varying security situations faced by each different organization may not be a fruitful endeavor. Apples are not always compared to oranges, so to speak, and there's a lot of statistical cherry-picking. Try to think of an example of a vendor-backed study that doesn't justify the company's product and your thinking cap will run out of batteries. Then there's the issue of drawing conclusions from what people say in surveys rather than measuring what they actually do. Talk is cheap; implementing better security practices usually isn't.
But cost isn't a free pass to do nothing. Here's a look at why and some of the major findings of Soha's study. Let us know what you think. What measures does your organization take to stay safe from attacks from outsiders as well as insiders?