Poor data handling decisions, misconfiguration issues and process breakdowns are the biggest causes of data breaches, according to a study of hundreds of data breach cases over a four year period.
The study, undertaken by the Verizon Business investigation division, found that in most cases there are multiple factors that lead to a data breach. Seventy-three percent of breaches come from external sources, such as a lone hacker or targeted attack from organized cybercriminals. Only 18% are attributed to rogue employees.
"Companies have this mentality that a breach won't happen to them," said Bryan Sartin, vice president of the Investigative Response team at Verizon Business. "Once they become victimized, it's shocking to find that every company seems to fall prey to the same basic problems."
Sartin said the Verizon study is the result of analyzing the Investigative Response team's handling of more than 500 data breaches between 2004 and 2007. The case load includes roughly one-third of all publicly disclosed data breaches in 2005 and a quarter of those in both 2006 and 2007 as well as three of the five largest data breaches ever reported.
The study found that 63% of enterprises learned of a breach months after the data was compromised. Many breaches are also discovered by customers, Sartin said. Seventy percent of all data breaches are discovered by third parties, he said.
There has been an explosion of log management software as a result of compliance spending, but Sartin said many firms are failing to monitor their logs.
"In many cases the answer is right there in their log files," he said. "Companies need to implement the basic concept of actually reading their event logs. It seems like no one does that in practice."
Seventy-two percent of data breaches could be traced back to a process failure or an omission of a data handling process within the company. For example, IT pros at a retailer thought its wide area network restricted communication from store to store, but after a breach, investigators found no one set up the restriction in the first place.
Error is a contributing factor in nearly all data breaches, Sartin said. Sixty-two percent of data breaches could be traced back to errors, such as router misconfigurations and common programming problems that could lend themselves to a SQL injection attack.
"There are individuals out there looking for websites that have holes in them that could lead them to the database server," Sartin said.
When data breaches were caused by insiders, IT administrators were responsible for more data compromises than any other insider role. But according to Verizon, high levels of access are not necessary in order to compromise a system.
Verizon said 57% of all data breaches involve a business partner. In many cases, the company that experienced the breach was doing business with a partner that had poor security practices. Accountability of data was also a major issue. In multiple cases investigators had problems tracing a breach to a specific person.
Sartin recommends that companies begin to implement basic security measures to manage data being shared with business partners. Processes should also be aligned with policy, he said.
"Controls need to hold someone accountable for protecting data and ensuring policies are not only set, but also carried out," he said.