Data breaches caused by employee errors, process failures

A study released by Verizon Business investigative unit found that employee errors are a contributing factor in nearly all data breaches.

Poor data handling decisions, misconfiguration issues and process breakdowns are the biggest causes of data breaches, according to a study of hundreds of data breach cases over a four year period.

Once they become victimized, it's shocking to find that every company seems to fall prey to the same basic problems.
Bryan Sartin,
vice president of investigative responseVerizon Business

The study, undertaken by the Verizon Business investigation division, found that in most cases there are multiple factors that lead to a data breach. Seventy-three percent of breaches come from external sources, such as a lone hacker or targeted attack from organized cybercriminals. Only 18% are attributed to rogue employees.

"Companies have this mentality that a breach won't happen to them," said Bryan Sartin, vice president of the Investigative Response team at Verizon Business. "Once they become victimized, it's shocking to find that every company seems to fall prey to the same basic problems."

Sartin said the Verizon study is the result of analyzing the Investigative Response team's handling of more than 500 data breaches between 2004 and 2007. The case load includes roughly one-third of all publicly disclosed data breaches in 2005 and a quarter of those in both 2006 and 2007 as well as three of the five largest data breaches ever reported.

The study found that 63% of enterprises learned of a breach months after the data was compromised. Many breaches are also discovered by customers, Sartin said. Seventy percent of all data breaches are discovered by third parties, he said.

There has been an explosion of log management software as a result of compliance spending, but Sartin said many firms are failing to monitor their logs.

Data security breaches:
Data breach laws have no effect on prevention, researchers say: Researchers at Carnegie Mellon University say there is no evidence that breach notification laws prevent identity theft, but they may have other benefits.

Hannaford breach illustrates need to have a survival plan: The Hannaford Bros. Co. supermarket chain is the latest company to suffer a data breach. It illustrates the need for companies to have a survival plan tucked away, experts say.

The pros and cons of data breach insurance: The security incident at the Hannaford supermarket chain and elsewhere have some wondering if it's time to purchase data breach insurance. But experts say there are drawbacks.

PCI compliance costs often underestimated, study finds: Companies are moving forward with PCI DSS projects, but many are underestimating the costs associated with compliance.

"In many cases the answer is right there in their log files," he said. "Companies need to implement the basic concept of actually reading their event logs. It seems like no one does that in practice."

Seventy-two percent of data breaches could be traced back to a process failure or an omission of a data handling process within the company. For example, IT pros at a retailer thought its wide area network restricted communication from store to store, but after a breach, investigators found no one set up the restriction in the first place.

Error is a contributing factor in nearly all data breaches, Sartin said. Sixty-two percent of data breaches could be traced back to errors, such as router misconfigurations and common programming problems that could lend themselves to a SQL injection attack.

"There are individuals out there looking for websites that have holes in them that could lead them to the database server," Sartin said.

When data breaches were caused by insiders, IT administrators were responsible for more data compromises than any other insider role. But according to Verizon, high levels of access are not necessary in order to compromise a system.

Verizon said 57% of all data breaches involve a business partner. In many cases, the company that experienced the breach was doing business with a partner that had poor security practices. Accountability of data was also a major issue. In multiple cases investigators had problems tracing a breach to a specific person.

Sartin recommends that companies begin to implement basic security measures to manage data being shared with business partners. Processes should also be aligned with policy, he said.

"Controls need to hold someone accountable for protecting data and ensuring policies are not only set, but also carried out," he said.

Dig deeper on Identity Theft and Data Security Breaches

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close