Nearly nine in ten data breaches could have been avoided by taking reasonable security measures, according to a new report.
Some 87 percent could have been prevented, according to Verizon Business' 2008 Data Breach Investigations Report, which made 500 forensic investigations of over 230 million records spanning four years. The report analyzed hundreds of corporate breaches, including three of the five largest ones ever reported.
This study also found that 73 percent of breaches resulted from external sources, against 18 percent from insider threats. Some 39 percent were attributed to business partners. Most breaches resulted from a combination of events rather than a single hack or intrusion.
Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions, urged businesses to be more proactive in their approach to security, and to keep better track of data. He added: "Security breaches and the compromise of sensitive information are very real and growing concerns for organizations worldwide."
In deliberate breaches, 59 percent were the result of hacking and intrusions, Verizon found. Of those, 39 percent were aimed at the application or software layer, compared to 23 percent that attacked the operating system.
Some 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.
Three quarters of breaches were discovered by a third party and had gone undetected for a lengthy period.
Verizon also warned that there was a growing worldwide black market for stolen data, especially in the retail and food industries, which accounted for more than half of all cases investigated. By contrast, financial services only accounted for 14 percent of breaches studied.
The report claims that data compromise is the easiest, safest and most lucrative way to steal the information necessary to commit identity fraud, which is a prime motivation for data breaches.
By breaking into restricted computer systems and compromising sensitive information stored within them, criminals are able to access systems that contain information on tens of thousands of victims versus just a handful through non-electronic means.
Businesses should take a range of simple actions to tackle breaches, the report said. It advised businesses to:
-- Align process with policy. In 59 percent of data breaches, businesses had security policies and procedures established for the system, but these measures were never implemented.
-- Create a data retention plan. With 66 percent of all breaches involving data that a company did not even know was on their system, it is critical that companies are aware of data flows and where they reside, Verizon said. It was important to identify data and prioritize its risk.
-- Control data with transaction zones. Network segmentation can help prevent, or at least partially mitigate, an attack, the report said.
-- Monitor event logs. In 82 percent of data breaches, evidence of events leading up to them had been available prior to actual compromise. Data logs should be continually and systemically monitored and responded to when events are discovered.
-- Create an incident response plan. If and when a breach is suspected, businesses must be ready to respond, not only to stop the data compromise but to collect evidence that enables them to pursue prosecution.
-- Increase awareness. Only 14 percent of data breaches were discovered by employees.
-- Engage in mock-incident testing. Running drills and testing peoples' abilities, judgements and actions during a mock crisis was crucial, Verizon said.