Report: 90% of Data Breaches Preventable

Thursday, January 22, 2015 @ 05:01 PM gHale


Over 90 percent of data breaches in the first half of 2014 may not have occurred if businesses employed strong cyber strategies, a new report said.

In January to June last year, only 40 percent of data breaches involving the loss of personally identifiable information (PII) were the result of external intrusions — while 29 percent ended up caused either accidentally or maliciously by employees, according to the Online Trust Alliance (OTA), a non-profit geared toward enhancing online trust and assisting businesses in their best practices and risk assessment, which released its 2015 Data Protection Best Practices and Risk Assessment Guides.

RELATED STORIES
Insider Threats Remain Top Concern
Financial Attacks Hitting ICS
ICS Havex Reaches 64-Bit
New Malware Targets Linux Systems

A lack of internal controls, lost or stolen devices and documents, as well as social engineering and fraud were to blame for almost 30 percent of data loss incidents suffered by businesses, OTA said.

In OTA’s Risk Assessment Guide, the organization asks questions IT decision makers must ask themselves if they are going to assess the risk of business practices against cyberthreats. Not only does a modern-day business have to ask if its own security practices are up to snuff, but whether third-party vendors, such as those in the supply chain or providing outsourced IT services, constitute a threat to security.

Some of the questions corporations need to ask:
• Do you understand the international and local regulatory requirements and privacy directives related specifically to your business based on where the customer or consumer resides?
• Do you know the specific data attributes you maintain for all customers? How and where is this data stored, maintained, flowed and archived (including data your vendors and third-party/cloud service providers store or process)?
• Are you prepared to communicate to employees, customers, stockholders, and the media during a data loss incident?
• Do you understand the security, privacy and notification practices of your vendors?
• Do you have a data breach response vendor that can have experts on call to assist with determining the root-cause of a breach, identifying the scope of a breach, collect threat intelligence including all data potentially impacted by an incident?

After analyzing over 1,000 breaches involving PII, OTA put together 12 critical security practices in another guide that companies should follow in order to lessen the risk of a cyberattack — as well as minimize potential damage in a threat landscape becoming more dangerous by the year. OTA said if the practices listed below ended up adhered to, the 2014 hacking of celebrity photos and the data breaches suffered by major U.S. retailers may not have occurred.

OTA recommends the enterprise:
1. Enforces effective password management policies
2. Keep all user accounts running on the lowest privilege and access level as possible
3. Shore up client devices by deploying multi-layered firewall protection, anti-virus software and make sure default locally shared folders are disabled
4. Conduct regular penetration tests and vulnerability scans
5. Require email authentication on all inbound and outgoing mail
6. Implement a mobile device management system
7. Monitor in real-time company network infrastructure
8. Deploy web apps and firewalls to detect and prevent common Web attacks
9. Permit only authorized devices to connect to wireless networks
10. Implement Always On Secure Socket Layer (AOSSL) protections for servers
11. Frequently review server certificates
12. Develop, test and refine a data breach response plan

“Businesses are overwhelmed with the increasing risks and threats, yet all too often fail to adopt security basics,” said Craig Spiezle, OTA executive director and president. “Releasing the Guides and best practices in advance of Data Privacy Day will provide businesses with actionable advice. When combined with other controls, these can help prevent, detect, contain and remediate data breaches.”



Leave a Reply

You must be logged in to post a comment.