Verizon Data Breach Investigations Report
Verizon Business has released a comprehensive study based on 4 years of data entitled the “2008 Data Breach Investigations Report” [PDF]. They have also released a podcast to go along with their study (Part 1 here).
The study looks into 500 forensic investigations and 230 million records, looking into hundreds of corporate data breaches. The report is very detailed, revealing a lot of information that could help companies understand the nature of data breaches better.
The study found that:
- 73% of breaches result from external sources (39% from business partners, a number that is growing steadily)
- 18% of breaches result from insider threats
- Most breaches result from a combination of events, not a single hack or intrusion
- 62% of breaches were attributed to significant internal errors
- For deliberate breaches, 59% were from hacking and intrusions
- 90% of known vulnerabilities exploited in hack attempts had patches available for at least six months prior to the breach
- 90% of breaches involved an “unknown” system, data, network connection or user account
- 75% of breaches are discovered by a third party, not the victimized organization
- In 59% of data breaches, security policies and procedures existed but were not implemented
- 66% of breaches involved data the company did not know was on their system
The study indicates that many data breaches are avoidable, and steps should be taken to prevent them. Dr. Peter Tippett, VP of Research and Intelligence for Verizon Business Security Solutions, says that companies must be “proactive in their approach to security — [it is] the absolute key to safeguarding data.”
Have a policy and implement it. Know what data you have and who has access to it. Monitor event logs. And have an incidence response plan. Increase awareness and keep them well trained - run drills.
Via databreachwatch.org, CNet Tags: verizon, verizon business, data breach, data breach prevention, breach, breach prevention, security, it security, data security, business security
3 Comments on “Verizon Data Breach Investigations Report”
July 4th, 2008 at 11:11 am
Hey Arieanna, great post. I was just reading through that Verizon report on Tuesday (while researching my own report on IT security for PCIS).
The report’s findings underscore a larger trend of organizations not taking IT security seriously. Did you see that report from Canada’s Privacy Commissioner showing that about 90 per cent of companies aren’t doing anything meaninggul at all about security?
Commenting from another part of the IT security industry, Web application security breaches have become a significant part of the problem (Up to 75 per cent of cyber-criminal attacks are against the web application layer). Web security audits to check for vulnerabilities are available, and in time they’ll become a standard part of every company’s security plan, along with solutions like the Computrace LoJack for Laptops).
Incidentally, there’s an excellent blog post on the web aspect of IT security on Vaclav’s Blog, Is Your Website Safe. Cheers!
July 8th, 2008 at 9:52 am
Thanks Jonathon. I agree that web security is going be be posing a major threat over the next couple of years.
Do you have a link for the report?
July 8th, 2008 at 9:56 am
There’s a news report on it here