Verizon's just-released "2011 Data Breach Investigations Report" says businesses could prevent most data breaches if they stick to security principles that are cheap and easy to implement.
The downfall of victims stems from failure to follow the elementary steps all businesses should take to protect their assets, the report says.
Attackers adapt to new defenses, but on the whole, they take the path of least resistance, which often means exploiting vulnerabilities that could be eliminated readily by implementing the basics, the authors of the report say.
MOBILE LEAKS: Skype for Android leaks user data
"As a whole, do you really think we're making them scramble to adapt?" they say. "Year after year our data seems to suggest that we are not, and that is something that needs to change. If they adapt, then they adapt. C'est la vie. But let's quit allowing them to find success in stagnation."
The report says 63% of breaches could be prevented through means it calls simple and cheap. Only 4% require preventive measures described as difficult and expensive.
GOOD GUYS: 12 "White Hat" hackers you should know
Here are the authors' recommendations based on the security incidents they reviewed this year.
-- Pick the essential security controls and put them in place without exception. Then implement more advanced controls as needed.
-- Change default credentials, create unique passwords and don't share them.
-- Regularly review active accounts to make sure they are valid, necessary, properly configured and given only appropriate privileges.
-- Restrict and monitor privileged users.
-- Secure remote access services.
-- Monitor and filter outbound traffic for suspicious communications -- which could result in halting ongoing data breaches.
-- Test applications, review code and encourage developers to write more secure code.
-- Implement effective monitoring for and response to critical log data that can flag breaches.
-- Define suspicious and anomalous network behavior, look for it and send alerts when it is found.
-- Reduce the time breaches are active (and therefore can do damage) with weekly review of basic breach indicators such as counting log lines for major spikes.
-- Increase awareness of social engineering.
-- Run regular incident tests and practice responses.