The 2013 Verizon DBIR once again hammered home the point that organizations aren't taking care of IT security basics. What are your reactions to the report? Can you provide some takeaways that organizations can implement before they are victimized by simple attacks in 2014?
Ask the expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
It has been interesting to watch the overall trends in the Verizon Data Breach Investigations Report (DBIR) over the years. The insider threat was the one to watch until just a few years ago. The 2013 edition of the Verizon DBIR shows that 92% of breaches originated from external sources, which represents a dramatic shift in the source of threats. This trend is forcing information security departments to refocus their priorities on protecting the company from external attacks.
One key takeaway from this report is that it doesn't seem that we are "winning the war." Don't get me wrong – we are putting up a valiant defense. However, I'm curious whether the increase in external data breaches corresponds with the IT budget crunch that started with the 2009 recession. Many IT security and technical teams are spending too much time nowadays just putting out fires due to a lack of resources. No one has the necessary resources and staff to implement the time-tested security practices of regular patching, vulnerability assessments and log monitoring, as demonstrated in the report. Investment in tools that automate these critical tasks should be a top priority for short-staffed IT security groups.
Another key takeaway is that our traditional security technologies are largely ineffective against highly targeted attacks. Threat actors are frequently turning to social engineering to find ways into the company through employees' personal lives. My advice on this front is to build network security in a multilayered, compartmentalized design. Assume that the attacker is going to get through some of your defenses, and build in monitoring to know how far they have progressed. Also, educate users on security threats, and consider applying additional security measures for executives or those with access to critical assets. By utilizing these steps, a company may stand a chance of not being a statistic in the 2014 Verizon DBIR.
This was first published in January 2014