I recently blogged about some pretty alarming statistics from the newly published 2010 Data Breach Investigation Report.
Let’s take a closer look at the 48% of breaches that involved privilege misuse.
I guarantee you that a large chunk of employee misuse is 100% non-malicious. In many cases, it’s the hardest working and most dedicated employees that feel forced to find their own way – any way – to get the job done because they were not provided the appropriate tools.
Over the last year I’ve spoken to well over 100 people that admitted to many of the items in the chart above.
In fact, I’m sure many of you blog readers have used a personal hard drive to temporarily store company data because you simply want to back-up your important work files. What about copying company files to a USB/DVD as a convenient way to transport data — or even subscribing to a file sharing website or using your personal email account — simply because you can’t send or receive large files from your work email account? And how many of you access company email or files from that shiny new smartphone of yours?
And you know what, I’m guilty too. But with total non-malicious intent I assure you.
I spent my morning reading through the 2010 Data Breach Investigations Report that was just published by the Verizon RISK Team and the United States Secret Service. This is an amazingly insightful report with lots of information to digest. If the topic of data breaches interests you, I highly recommend finding time to read through it.
Data breaches are scary. Nobody wants to be a victim… And nobody wants their company to be the next headline on the news.
Data breaches are expensive. According to the Ponemon Institute’s 2009 Cost of a Data Breach study, the average cost of each compromised record is $204.
Here are 5 quick recommendations that I’d like you to consider:
- Recognize your data: Before you can protect confidential, sensitive and important data you must first go through an exercise of identifying where it lives, who has access to it, how it’s handled, what systems it touches, and make sure any and all interactions with the data is fully visible and auditable.
- Take proactive precautions: The majority of breaches were deemed “avoidable” if the company had followed some security basics. Only 4 percent of breaches required difficult and expensive protective measures. Enforce policies that control access and handling of critical data.
- Watch for ‘minor’ policy violations: The study finds a correlation between seemingly minor policy violations and more serious abuse. This suggests that organizations should investigate all policy violations. Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach. Actively searching for such indicators may prove even more effective.
- Monitor and filter outbound traffic: At some point during the sequence of events in many breaches, something (data, communications, connections) goes out externally via an organization’s network that, if prevented, could break the chain and stop the breach. By monitoring, understanding and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.
- If a breach has been identified, don’t keep it to yourself: Standard procedure for data breach recovery should be to quickly identify the severity of the breach… And affected individuals have a right to know that sensitive information about them has accidently been compromised.
I’m going to end this blog post by asking you to estimate how many pieces of sensitive files and data your company has…. Now multiply that by $204. I’m sure you’ll agree that the ROI on the time and resources spent to protect company data are well worth the investment.