The InformationWeek Security blog reported the results of a study by Verizon:
"Eighty-seven percent of data breaches could have been prevented with reasonable security precautions, according to a study of over 500 forensic investigations conducted by Verizon Business Security Solutions. Verizon's study of actual data breach investigations from 2004 through 2007 suggests that incompetence and carelessness represents the greatest threat to business information."
This is no surprise to I've Been Mugged readers. The study categorized the corporate data breaches:
"... breaches were attributable a combination of events more frequently than a single action, including: a significant error (62%), hacking and intrusions (59%), malicious code (31%), an exploited vulnerability (22%), and physical threats (15%)."
The study also categorized the type of information exposed or stolen:
"... the type of data compromised falls into the following categories: payment card data (84%), personally identifiable information (32%), non-sensitive data (16%), authentication credentials (15%), other sensitive data (10%), intellectual property (8%), corporate financial data (5%), and medical/patient data (3%)."
The study also listed who (e.g., executives, employees, staff, contractors, etc.) was responsible for the corporate data breach:
"... those responsible for data breaches were: external sources (73%), insiders (18%), business partners (39%), and multiple parties (30%). While insiders accounted for the smallest percentage of breaches, the breaches traced to them involved more than ten times as many records (375,000) as breaches traced to outsiders (30,000) and about twice as many records as breaches traced to partners (187,500)."
An alarming statistic from the study: in 63% of cases, months or years passed between the data breach and its discovery.
It's important to understand the relationship between the data breaches in the Verizon study and the total number of publicly disclosed data breaches:
"According to the Identity Theft Resource Center, there were 446 data breaches publicly reported in 2007, 312 in 2006 and 158 in 2005. Verizon's report says that the more than 500 cases its investigators looked at include about one-third of the publicly disclosed data breaches in 2005 and a quarter of the publicly disclosed data breaches in 2006 and in 2007.
So, one must cautiously interpret the conclusions from the Verizon study. which covered a limited subset of the total number of corporate data breaches. The study did not mention offshore outsourcing. What's crystal clear from the study: there's plenty of room for data security improvement by companies, their management, and employees.