Verizon Breach Report Challenges Conventional Wisdom

Verizon Business' most recent 2009 Data Breach Investigations Report is a must-read report if you're involved in IT. The authors are quick to point out that the report is not a "state of security" report, but an analysis of breaches from Verizon Business' Risk Team and therefore based on in-the-field findings. The report winds up with recommendations. How many is your company following?The findings challenges commonly held beliefs, like insiders compromise the biggest threat. 74% of the attacks were from external sources and accounted for 266,788,000 records; 32% from partners accouting for 1,509,000 records; a paltry 20% from insiders accounting for 1,330,000 records; and 39% were from multiple sources accounting for 15,796,000 lost records. On a per breach basis, insiders were responsible on average for more records lost per breach, 100,000, while external sources accounted for a median 37,847, and partners 27,000. Which poses a bigger threat? The most active group, external sources, or the more effective group, internal sources? It doesn't much matter, does it? What this tells me is that information security programs need to focus on protecting information. The insider versus outsider view is a symptom of technology focused security-something long time contributor Greg Shipley noted in 2003's Network Computing Secure to the Core cover story. His points are just as valid today as then.

In the view of Verizon's Risk team, the attack difficult of 83% of the breaches are relatively moderate, characterized as needing "skilled techniques, some customization, and/or significant resources required to carry off." That's a pretty broad definition, but I'd interpret it to mean well within the realm of most IT people and computer nerds. Luckily 95% of the breaches resulting in lost records were rated as high difficulty characterized as "advanced skills, significant customization, and/or extensive resources required."

What may surprising to many folks in security is that PCI enforcement seems to work better than not. There is a lot of discussion as the value of PCI and is a favored whipping post. The data and the authors data indicates that while PCI compliance is not a guarantee against breaches, 81% of companies either weren't compliant are weren't PCI assessed at the time of the breach. On table 10 on page 42, the authors relates the number of companies compliant with the top line PCI requirements. Their conclusion is a typical organization met a third of PCI requirements.

The report winds up with conclusions and recommendations. Regardless of whether your company is large or small, in a regulated market or not. There are take ways you can implement that are well within any IT department skill set. Better, get a copy of PCI or ISO 27001:2005 which I described in 2006, and align your IT processes with the goals. Alignment is not about checking boxes but matching processes with the stated goals of PCI or ISO 27001.