Verizon Breach Report Challenges Conventional Wisdom - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
Commentary
4/16/2009
09:11 AM
Mike Fratto
Mike Fratto
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Verizon Breach Report Challenges Conventional Wisdom

Verizon Business' most recent 2009 Data Breach Investigations Report is a must-read report if you're involved in IT. The authors are quick to point out that the report is not a "state of security" report, but an analysis of breaches from Verizon Business' Risk Team and therefore based on in-the-field findings. The report winds up with recommendations. How many is your company following?

Verizon Business' most recent 2009 Data Breach Investigations Report is a must-read report if you're involved in IT. The authors are quick to point out that the report is not a "state of security" report, but an analysis of breaches from Verizon Business' Risk Team and therefore based on in-the-field findings. The report winds up with recommendations. How many is your company following?The findings challenges commonly held beliefs, like insiders compromise the biggest threat. 74% of the attacks were from external sources and accounted for 266,788,000 records; 32% from partners accouting for 1,509,000 records; a paltry 20% from insiders accounting for 1,330,000 records; and 39% were from multiple sources accounting for 15,796,000 lost records. On a per breach basis, insiders were responsible on average for more records lost per breach, 100,000, while external sources accounted for a median 37,847, and partners 27,000. Which poses a bigger threat? The most active group, external sources, or the more effective group, internal sources? It doesn't much matter, does it? What this tells me is that information security programs need to focus on protecting information. The insider versus outsider view is a symptom of technology focused security-something long time contributor Greg Shipley noted in 2003's Network Computing Secure to the Core cover story. His points are just as valid today as then.

In the view of Verizon's Risk team, the attack difficult of 83% of the breaches are relatively moderate, characterized as needing "skilled techniques, some customization, and/or significant resources required to carry off." That's a pretty broad definition, but I'd interpret it to mean well within the realm of most IT people and computer nerds. Luckily 95% of the breaches resulting in lost records were rated as high difficulty characterized as "advanced skills, significant customization, and/or extensive resources required."

What may surprising to many folks in security is that PCI enforcement seems to work better than not. There is a lot of discussion as the value of PCI and is a favored whipping post. The data and the authors data indicates that while PCI compliance is not a guarantee against breaches, 81% of companies either weren't compliant are weren't PCI assessed at the time of the breach. On table 10 on page 42, the authors relates the number of companies compliant with the top line PCI requirements. Their conclusion is a typical organization met a third of PCI requirements.

The report winds up with conclusions and recommendations. Regardless of whether your company is large or small, in a regulated market or not. There are take ways you can implement that are well within any IT department skill set. Better, get a copy of PCI or ISO 27001:2005 which I described in 2006, and align your IT processes with the goals. Alignment is not about checking boxes but matching processes with the stated goals of PCI or ISO 27001.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
10 RPA Vendors to Watch
Jessica Davis, Senior Editor, Enterprise Apps,  8/20/2019
Commentary
Enterprise Guide to Digital Transformation
Cathleen Gagne, Managing Editor, InformationWeek,  8/13/2019
Slideshows
IT Careers: How to Get a Job as a Site Reliability Engineer
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/31/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll