Surprise! You're Not To Blame For Security Breaches

Unglue those USB ports. Unchain your laptop. Feel free to leave your smartphone at the airport. If there's a security breach at your company, it's unlikely to be your fault.For years, security software vendors have drummed up sales of anti-virus and remote device management software by peddling tales of CIOs gluing USB ports so that end-users (you and me, their own employees) wouldn't inadvertently introduce malware that would infect the company's systems and start calling home with its vital data or, worse, so we wouldn't walk away with valuable information on a flash drive we would then foolishly leave at the counter of the local Dunkin' Donuts, or sell on Craigslist (psst, want a peek at our client list?).

But while companies have been spending hundreds of millions of dollars on software designed to wipe the contents of lost BlackBerrys and refuse permission to copy files, it turns out that the worst exacerbators of this very real problem are IT managers who have failed to secure their own front doors. For instance, a mind-blowing 81% of companies don't comply with PCI standards to which they're subject, according to a study by Verizon.

The 2009 Verizon Business Data Breach Investigations Report made it a point to exculpate end-users who have been previously maligned as the source of most breaches:

In fact, just about everything cited in the report points to negligent practices by IT departments rather than end users.

"In most successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data." -- In other words, attackers were able to hang around like Oceans Eleven at the casino, doing their dirty work right under an IT administrator's nose.

" In 69 percent of cases, the breach was discovered by third parties. The ability to detect a data breach when it occurs remains a huge stumbling block for most organizations. Whether the deficiency lies in technology or process, the result is the same. During the last five years, relatively few victims have discovered their own breaches." -- Hey buddy, I was just wondering -- did you really mean to let those people walk into your home and ransack your belongings, or should I call the cops?

"Nearly all records compromised in 2008 were from online assets. Despite widespread concern over desktops, mobile devices, portable media and the like, 99 percent of all breached records were compromised from servers and applications." -- Any chance you could apologize for that snarky email last year? The one where you implied we were incompetent bordering on criminally negligent?

The study also shows that, sadly, the incidence of cybercrime is exploding, which is likely to result tighter security measures. Tighter security measures has traditionally translated to longer lists of "don't do's" for end users, dragging down productivity and even innovation--like some stupid end-user fiddling around with an application and finding an unintended use for it that triples productivity.

Maybe the real value of this report is not that it reveals just how bad things are, but who isn't to blame.