The Verizon Business RISK Team recently published a valuable analysis of four years of data on security breaches among their clients. The team said, 'In a finding that may be surprising to some, most data breaches investigated were caused by external sources.' Today I want to explore the implications of that finding.
The Verizon Business RISK Team recently published a valuable analysis of four years of data on security breaches among their clients, entitled "2008 Data Breach Investigations Report." The team said: "In a finding that may be surprising to some, most data breaches investigated were caused by external sources." Today I want to explore the implications of that finding.
The authors explain their terminology for sources of data breaches:
“Internal threat sources are those originating from within the organization. This encompasses human assets - company executives, employees, and interns as well as other assets such as physical facilities and information systems. Most insiders are trusted to a certain degree and some, IT administrators in particular, have high levels of access and privilege.”
The three threat sources used in the study are as follows (quoting with elisions as shown):
• External - Intuitively, external threats originate from sources outside the organization. Examples include hackers, organized crime groups, and government entities but also environmental events such as typhoons and earthquakes. Typically, no trust or privilege is implied for external entities.
• Internal - Internal threat sources are those originating from within the organization. This encompasses human assets - company executives, employees, and interns as well as other assets such as physical facilities and information systems…
• Partner - Partners include any third party sharing a business relationship with the organization. This value chain of partners, vendors, suppliers, contractors, and customers is known as the extended enterprise.
The researchers found that outsiders, not insiders, were responsible for “data compromises” in about three-quarters of the cases studied; “business partners were involved in 39% of the data breaches handled by our investigators. Internal sources accounted for the fewest number of incidents (18%), trailing those of external origin by a ratio of four to one.” The percentages add up to more than 100% because more than one type of source was observed in many breaches.
Speaking personally, I am going to have to rethink my long-held stance – originating in the 1980s – claiming that the bulk of the threats to information systems are internal. I have taught that about half the problems observed in organizations come from errors and omissions, with dishonest and disgruntled employees coming in next and adding up to about three-quarters of the cases informally reported by consultants. The Verizon study casts serious doubt on this vague generalization and I will be telling my introductory information assurance students to follow the guidance of my favorite bumper sticker: QUESTION AUTHORITY - in this case, me!
Again, no one is claiming that the results of the Verizon study can be extended to the totality of all security breaches; nevertheless, their results are certainly giving me something to think about. I hope that readers will find the study equally stimulating.
In the next installment of this series, I’ll look at the research findings concerning breach size and source (Compare Data Leak Protection products).