Here’s the Long-Awaited ‘Silver Bullet’ for Data Security: Plain Old Elbow Grease

Verizon just released the latest edition of its annual Data Breach Investigations Report, and it reveals that most data security breaches don’t have to happen – yet, they still do keep on taking place.

The report, based on data breach details from 19 global organizations: law enforcement agencies, national incident-reporting entities, research institutions, and private security firms, finds that there’s nothing outlandish or technically difficult in the ways breaches can be avoided. However, organizations still simply aren’t doing enough to shut the door tightly enough against hackers or malcontents.

The report observes that 75% of attacks are “opportunistic,” meaning they are not targeted at a specific individual or company — and the vast majority of those are financially motivated. A lot of internal breaches could have easily been avoided. For example, more than 70% of intellectual property theft cases committed by internal people took place within 30 days of them announcing their resignation. Over half of the insiders committing sabotage were former employees taking advantage of old accounts or back doors that weren’t disabled.

In surveys I have been involved with since 2007, we found a great deal of laxity within enterprises when it comes to guarding enterprise data. For instance, about half of enterprises still take live production data and send multiple copies out of the data center (where, presumably, security is high) and send it to other places – backup sites, development shops, and outside vendors. Only one out of four will attempt to encrypt, de-identify or mask the data.

Since many data breaches are the result of vendors or third-part contractors mishandling files, either through mistakes or more malicious intents. It should be simple to block their access to sensitive information – but it’s not happening, yet.

The report parses through the various types of security threats unleashed:

Hacking (52% of breaches): There’s actually nothing new about the hacking incidents that have taken place, the report observes. “Why reinvent the wheel?” Authentication-based attacks (guessing, cracking, or reusing valid credentials) accounted for four of every five breaches involving hacking in the 2012 data. The solution to hacking is simple, the report adds: “If data could start a riot (‘Occupy Passwords!’), we could use these statistics to overthrow single-factor passwords: the supreme ruler in the world of authentication. If we could collectively accept a suitable replacement, it would’ve forced about 80% of these attacks to adapt or die.”

Malware (40% of breaches): While Malware is the number-two threat, it is gradually being overshadowed by other malicious activity. “The percentage of data breaches involving malware was lower in 2012, but that can be attributed to a relative proportional increase in other categories (social and physical) rather than an actual decline.”

Physical (35% of breaches): Of course, there’s always the potential of someone simply breaking into an office, or – as happens a lot – of stealing a laptop or device. One of the most egregious forms of physical data theft now seen is ATM skimming, which involves false fronts being attached to the cash machines. POS devices are also vulnerable to such breaches.

Social (29% of breaches): One of the most notorious approaches here is “sending a convincingly crafted malware-laden e-mail to a few key employees could give an attacker the keys to a company’s intellectual property kingdom.” In the last year, phishing jumped bribery and pretexting to become the most widely used social tactic, the Verizon report states. In 95% of the cases, these were used “as a means of establishing a foothold in their intended victims’ systems.” Here’s where more end-user education is called for.

Misuse (13% of breaches): You may trust your database administrator with your life, but can you trust him not to skim your data? Even the best of staffs still need safeguards – privileged users sometimes make mistakes or fall to temptation.

Errors (2% of breaches): The report’s authors admit that this is a difficult area to measure. In some ways, lax or inattentive security protocols are fertile ground for  accidental data breaches. “It hurts our hearts not to label a blank password as an error, but if the organization doesn’t have processes or standards to forbid that and lacks fundamental security as ‘the norm,’ it’s hard to call it an error. A server misconfiguration that publishes private data to a public website is a different matter, and would be recorded as an error. Such misconfigurations are the most common error seen, the report adds.

The report provides the following guidance to enterprises seeking to better lock the door to their data assets:

• * Eliminate unnecessary data; keep tabs on what’s left.

• * Perform regular checks to ensure that essential controls are met.

• * Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness.

• * Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology.

• * Regularly measure things such as “number of compromised systems” and “mean time to detection”, and use these numbers to drive better practices.

• * Don’t buy into a “one-size-fits-all” approach to security.

To combat data security breaches, the report observes “there’s no silver bullet,” just a lot of elbow grease. And don’t put the entire burden on the IT department. Spotting and preventing data security incidents is an unending task, and “one that should not be the sole responsibility of the IT department or the chief information security officer. Ensuring data security should be a company-wide effort all the way up to the boardroom.”

Joe McKendrick is an author and independent researcher, covering innovation, information technology trends and markets.  Much of his research work is in conjunction with Unisphere Research/ Information Today, Inc. for user groups including SHARE, Oracle Applications Users Group, Independent Oracle Users Group and International DB2 Users Group. He is also research analyst with GigaOM Pro Research.

He is a regular contributor to Forbes.com, and well as a contributor to CBS interactive, authoring the ZDNet “Service Oriented” site, and CBS interactive’s SmartPlanet site.

Joe is a co-author of the SOA Manifesto, which outlines the values and guiding principles of service orientation in business and IT.

In a previous life, he served as communications and research manager of the Administrative Management Society (AMS), an international professional association dedicated to advancing knowledge within the IT and business management fields. He is a graduate of Temple University.