The recently released Verizon 2013 “Data Breach Investigations Report” confirms that 2012 was a banner year for data breaches across every level of enterprise. From giant corporations to mom and pop operations, multi-national organizations to the local pub, nobody was immune to some type of network attack. The 63-page report is filled with the kind of findings that make IT security teams shudder and resign themselves to the notion that their organization will be breached sooner or later.
The diversity and scale of 2012 data breaches “reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity.” Ninety-two percent of breaches were instigated by external crooks looking to steal access to everything from financial accounts to intellectual property. The report noted that insiders committed 14 percent of breaches, a figure that is up 10 percent from 2011.
Internal and external breaches are based on the 621 breaches leading to confirmed data disclosure that were used for the majority of the report's findings. What's crucial to note, though, is that the report also includes a second dataset of figures based on more than 47,000 “security incidents.” In that dataset, the insider number jumps to 69 percent, and the key piece of information there is that “most of these are insiders acting carelessly rather than maliciously.”
An alarming statistic jumping out of the report, however, is that 71 percent of breaches ─ whether external or internal ─ targeted user devices. In light of the trend toward bring-your-own-device (BYOD), this is particularly troublesome when you consider how many times people change jobs within an organization, but their access to data remains unchanged. They have access to what their new job requires, as well as other company data they formerly had. As the majority of breaches target user devices, it's entirely possible a malicious external threat could have a field day with all the data leveraged via someone's internal access.
Using the same password to access everything from company data to creating a login for online retail sites further fuels the risk of a data breach for an organization. It's difficult to remember a host of different passwords, so the natural tendency is to use the same across the board. But, when the user's work password is also used to access an online retail site, it puts the password in the hands of another organization and multiplies the places cyber thieves can find passwords to access an organization's data. When work email addresses are used to receive purchase confirmations, cyber thieves not only have the user's password, but also know where they work. A common password for multiple company logins becomes a dangerous key to all kinds of data when a laptop or mobile device is temporarily left unattended and open.
How can the IT security team lessen the risk of data breaches, regardless of whether the threat is at the firewall or the result of insider carelessness? The answer is identity and access management (IAM). IAM provides the dynamic security controls needed to protect the organization at every touch point, regardless of industry or business size. While every organization needs IAM, it is particularly crucial for publicly traded companies and those who need to protect customer information.
The capability to leverage connected security should be a top component of your security strategy. Connected security means that security technologies are integrated across the entire enterprise, connecting each individual piece, and enabling the entire business to share intelligence. This ensures each employee only has the access they need to do their job – and nothing more. As the Verizon DBIR shows, internal data breaches can happen when access is used maliciously, but, most often, carelessness is the culprit. That's why it's essential to have the right process in place to review data access within the organization in terms of who has access, who needs it, and who has it but isn't using it. A data access governance plan that's rooted in connected security can ensure the business has all the right levels of protection, while supporting compliance and maintaining continuity of business operations. And, by providing employees with only the access they need, the organization will cut down the pool of insider “threats” who may unknowingly open it up to a breach.
Depending on where organizations are with their IAM strategy and implementation, there are many ways to empower IAM solutions to protect business-critical data. Organizations must decide on the best approach. By choosing an integrated approach the organization can easily collaborate on provisioning, compliance and authorization.
The Verizon report notes that 2012 saw more than 44 million records compromised across all data breaches. If your organization doesn't already enforce IAM with the connected security necessary to grant employees access only to what they need, now is the time to consider it.