Editor's Picks: Must-Read Posts About Identity Theft
Stronger Federal ID-Theft Law: the Identity Theft Enforcement and Restitution Act of 2008

Verizon Business Risk Analysis Reports That Data Breach Sources And Risks Vary By Industry

In a follow-up to its June 2008 report, Verizon Business Risk Services performed an analysis of corporate data breaches across several industries. The 2008 Data Breach Investigations Supplemental Report found that some industries are more vulnerable to specific types of threats than other industries. The analysis included data breaches in the finance, food, retail, and technology industries, and identified three types of sources of data breaches:

"External: Intuitively, external threats originate from sources outside the organization. Examples include hackers, organized crime groups, and government entities but also environmental events such as typhoons and earthquakes."

"Internal: Internal threat sources are those originating from within the organization. This encompasses human assets—company executives, employees, and interns—as well as other assets such as physical facilities and information systems."

"Partner—Partners include any third party sharing a business relationship with the organization. This value chain of partners, vendors, suppliers, contractors, and customers is known as the extended enterprise."

In some instances, the data breach was caused by multiple sources, which means that there probably were individuals conspiring from both inside and outside the company. Overall, the analysis found:

"The predominant pattern to note here is that each industry exhibits the same pattern or order (external sources being highest, followed by partner sources, then internal ones) except Tech Services, in which insider breaches were more common than those involving partners."

The industry-specific findings included:

"Tech Services are often in the role of “the partner” to the other industries, providing management, hosting, and other services. It stands to reason that organizations in this industry likely employ a high percentage of tech-savvy staff and grant them high levels of access to numerous systems. Unfortunately, some find that access to sensitive and valuable resources is a temptation too hard to resist. Facing similar temptations, insiders in the Financial Services industry were behind a large proportion of breaches as well."

Findings about data breaches in the Food and Beverage industries:

"... a very different yet striking series of statistics. Insider breaches fall well below other industries, while the percentage for partners is extremely high—nearly equaling that of external sources. At first, this may seem counterintuitive as staff within this industry constantly handle money, checks, and credit cards... The large percentage of partner breaches in the Food and Beverage industry is mostly due to the scenario in which an external attacker compromises a partner and then uses trusted systems and connections as a privileged platform to attack the victim. For Food and Beverage establishments, this is often a vendor supporting the point-of-sale (POS) system using default or shared credentials among many clients."

When analyzing data breaches caused by Internal sources, the analysis found:

"Only in Financial Services are end-users responsible for more breaches than IT administrators. Based on our investigative experience, we associate this with the greater access non-IT employees have to sensitive resources... We also note that Financial Services is the only group with breaches tied to agent/spy activity... IT administrators are behind the vast majority of breaches in the Tech Services industry. This is clearly a function of the services provided by these firms, which often involve a significant IT support, management, or hosting element. The ratio of admins to end-users is more evenly distributed among retail companies. Interestingly, a fair number of investigations pointed to a retail executive as the responsible party."

The types of data hacked and stolen indicated that the attacks are financially motivated. Across all data breaches, the types of data stolen included:

  • Payment card data (e.g., credit cards): 84%
  • Personally identifiable information (e.g., social security numbers): 32%
  • Non-sensitive data: 16%
  • Authentication credentials (e.g., passwords & log-in data): 15%
  • Other sensitive data: 10%
  • Intellectual property: 8%
  • Corporate financial data: 5%

Percentages total more than 100% since some attacks included multiple types of data.

A data breach analysis like this is very helpful and instructive, even though it did not mention offshore outsourcing, which is definitely a Partner source. It outlines next steps corporate executives should take to better protect the sensitive personal data their companies archive about consumers. Obviously, data security methods must vary by industry to accommodate the varying sources by industry. A one-size-fits-all data security solution would be inappropriate.

If there is a "to-do" item in this for consumers, it is to be aware and inquire about the data security methods used by the companies you do business with. If the company doesn't have any or provides an answer you feel is dubious, shop elsewhere or use cash. In my opinion, the analysis implies that consumers should spend more time and effort reading and evaluating the Privacy Policies, and Terms & Conditions Policies companies publish in their web sites and printed materials. These policies provide clues about how serious a company is about protecting your sensitive personal data.

To read more, download the Verizon Business Risk report (PDF - 1,049 KB).

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

John Franks

These data breaches and thefts are due to a lagging business culture. I found some fresh and original thinking from the author of “IT Wars” - http://www.businessforum.com/DScott_02.html - I urge every business person and IT person, management or staff, to get hold of a copy of "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." It has an excellent chapter on security, and how to scale security for any organization, any budget. It also has a plan template with all considerations. Our CEO has read this book. Our project managers are on their second reading. Our vendors are required to read it (they can borrow our copies if they don't want to purchase it). Any agencies that wish to partner with us: We ask that they read it. Do yourself a favor and read this book – BEFORE you suffer a breach.

Offshore Outsourcing

Thanks so much for sharing this informative article with us.

The comments to this entry are closed.