Study: 96% of data breaches avoidable

A full 96 percent of data breaches are avoidable through simple or intermediate controls, according to “2010 Data Breach Investigations Report,” research conducted by Verizon’s Business Risk team in cooperation with the U.S. Secret Service (USSS).

The Data Breach Investigations Report analyzed the Verizon Business Risk 2009 caseload and aggregated data contributed from the USSS. The series now spans six years, 900-plus breaches and more than 900 million compromised records, according to the annual study.

Among the findings:
  • 70 percent of data breaches resulted from external agents, down 9 percent from the previous year's report;
  • 48 percent were caused by insiders, an increase of 26 percent over the previous year;
  • 27 percent involved multiple parties, a 12 percent drop from previous findings; and
  • 11 percent implicated business partners, down 23 percent.

“Breaches linked to business partners continued the decline observed in our last report and reached the lowest level since 2004,” the report stated.

The report also stated that the breaches occurred for a variety of reasons, including:
  • 48 percent involved privilege misuse, up 26 percent from the previous report;
  • 40 percent resulted from hacking, a drop of 24 percent;
  • 38 percent utilized malware, roughly the same as in the last report;
  • 28 percent employed social tactics, a rise of 16 percent; and
  • 15 percent comprised physical attacks, a 6 percent jump.

“Misuse sits atop the list of threat actions leading to breaches in 2009,” although hacking and malware were responsible for more than 95 percent of all data compromised, according to the report. “Weak or stolen credentials, SQL injection and data-capturing, customized malware continue to plague organizations trying to protect information assets. Cases involving the use of social tactics more than doubled and physical attacks like theft, tampering and surveillance ticked up several notches.”

As in previous years, nearly all data (98 percent) were breached from servers and applications, and 96 percent of breaches were avoidable through simple or intermediate controls, an increase of 9 percent, the study found.

Sixty-one percent of breaches were discovered by a third party, down 8 percent from the previous report: “Most breaches are discovered by external parties and only then after a considerable amount of time,” the report stated.

The report recommended that organizations focus mitigation effort on:
  • Eliminating unnecessary data and keeping tabs on what’s left;
  • Ensuring essential controls are met;
  • Testing and reviewing web applications;
  • Auditing user accounts and monitoring privileged activity;
  • Filtering outbound traffic; and
  • Monitoring and mining event logs.

“Our profession has the necessary tools to get the job done. The challenge for us lies in selecting the right tools for the job at hand and then not letting them get dull and rusty over time … The amount of breaches that exploit authentication in some manner is a problem. In our last report it was default credentials; this year it’s stolen and/or weak credentials,” the study stated. “Whatever the reason [for data breaches], we have some work to do here.”

To see the "2010 Data Breach Investigations Report," click here.

Around the web

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Trimed Popup
Trimed Popup