Study: Mistakes, Not Malicious Insiders, to Blame for Most Breaches

2008 was a banner year for security breaches, according to new research from Verizon. And while many security vendors have been banging the drum about the threat of malicious insiders, this report indicates organizations should be more wary of outside attacks (Read Senior Editor Bill Brenner’s take on the insider threat in Laid-off Workers as Data Thieves?)

The “2009 Verizon Business Data Breach Investigations Report,” released this week finds that hackers continue to intensify and sharpen their efforts to steal sensitive data. In fact, more electronic records were breached in 2008 than the previous four years combined. The study’s authors said the upswing is fueled by a targeting of the financial services industry and a strong involvement of organized crime. Corporations fell victim to some of the largest cybercrimes ever during 2008, noted the report (Get tips on surviving a breach investigation in 5 Ways to Survive a Data Breach Investigation).

The findings debunk the motion that insiders account for the biggest threat to security in most organizations and instead finds that 74 percent resulted from external sources. Only 20 percent were caused by insiders.

“Outsiders are going to exceed insiders in number. There are more of them. It makes sense that that attack ratio would be there,” said Wade Baker, a Research and Intelligence Principal with Verizon.

The study, the second annual conducted by Verizon, is based on data analyzed from Verizon Business’ actual caseload comprising 285 million compromised records from 90 confirmed breaches. The financial sector accounted for 93 percent of breaches, and a staggering 90 percent of these records involved groups identified by law enforcement as engaged in organized crime.

“The world of cybercrime has definitely moved away from the teenage hacker in the basement motif to it’s a business now,” said Baker. “It really does have an effect. When you gather a group together and they all share this purpose of compromising data, then they leverage their collaborative resources and can do attacks one person would not have the time, resources or computing power to do.”

Baker also noted that the investigation found most breaches were avoidable. Nearly nine out of 10, 87 percent, were considered avoidable through simple or intermediate controls.

“If you look at the top three types of hacking, the ways criminals get in the door, it is default credentials, it is SQL injection and poor access control,” said Baker. “From that standpoint the method of entry into the corporate network, they aren’t using very sophisticated methods. If you did things well, you would be able to prevent that.”

Additionally, 81 percent of victims were not Payment Card Industry (PCI) compliant. A statistic Baker said study authors interpreted as testimony to the effectiveness of PCI DSS.

The study found that highly sophisticated attacks account for only 17 percent of breaches and 83 percent of attacks were considered to be what Verizon termed as “not highly difficult” to pull off. However, the study authors also note that while the percentage of sophisticated attacks was small, they accounted for 95 percent of the total records breached. The numbers, according to Baker, once again point to the sophistication and power of today’s organized cybercriminal networks.

*Download a pdf copy of the report and check out the cover page. There is a reason why 0s and 1s were chosen. Can you figure it out?