Learn from 2012 data breaches for a secure 2013January 10th, 2013 by James Warren
I took some time out this morning to read a 2012 data breach report by Verizon, which was sent to us via a Tweet from @RiverviewLaw on Twitter. Whilst many of the findings didn’t come as a surprise, it did confirm in my mind many of the key issues organizations are going to be facing in 2013, and reiterated that the range of products and services we make available to our customers truly does make IT Governance the single source provider for Cyber Security solutions.
The report is based on 855 incidents globally, which resulted in 174 million compromised records. Contributors include the United States Secret Service (USSS), the Dutch National High Tech Crime Unit (NHTCU), the Australian Federal Police (AFP), the Irish Reporting & Information Security Service (IRISS) and the Police Central eCrimes unit (PCeU) of the London Metropolitan Police.
Rather than giving you a blow by blow commentary of my key takeaways, I’m going to leave you to read the report yourself and simply quote a few points that I found particularly noteworthy:
- Attack Difficulty
The best breach is the one that never occurs in the first place. Preventing a breach during the initial compromise would obviously have the least amount of repercussion. However, security controls are neither absolute nor binary; they range from quick-fixes all the way up to complex-and-costly. Understanding how much to allocate requires an understanding of the pressure the attacker is applying and where, during the attack, more pressure is used.
- Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.
- Of breach victims required to comply with PCI DSS, 96% were not compliant.
The data breach report touches on many different types of data breach and highlights that protecting its information assets is more important than ever for organization of all sizes.
Depending on the organization, it seems, in hind-sight, that routine penetration testing of networks and web applications could have highlighted vulnerabilities before they were exploited and controls could have been put in place. See how our technical services can help your organization to avoid being in next year’s report.
A lack of risk management is likely to have contributed to poor security. Using a risk based approach to information security and adopting international best practice such as ISO 27001 is the best thing any organization can do.
Not only does ISO 27001 give an organization an Information Security Management System (ISMS) that can be externally audited and help demonstrate to shareholders, customers and other stakeholders that it takes its information security seriously, but through the Plan-Do-Check-Act (PDCA) process the organization will roll out appropriate policies and procedures, implement effective staff awareness training, and implement controls to mitigate against the range of threats that have been identified through the risk assessment process.
vsRisk is a unique tool that will simplify the risk assessment process and is fully aligned to the ISO 27001 standard. Check it out today – there’s a free trial.
Some controls will require security hardware and software to be put in place. Other controls will be simple policy changes that need to be deployed through documentation and staff trained. Our staff awareness eLearning courses offer a unique method of training that is cost effective and engaging for the user which helps to embed a security-minded culture within the organization.