Though all technology users face the risks of data loss, there are degrees of
variability across different industries.
The food services industry, for example, faces higher incidents of external attacks
while the financial services industry is at greater risk from insider attack. That’s the
core finding of a new Verizon Business Data Breach supplementary study analyzing four
years of data that included some 230 million compromised records.
Verizon’s new data analysis comes as the payment card industry (PCI) and others ramp
up efforts to prevent data loss.
“Financials in general tend to be more secure and less subject to compromise events,”
Bryan Sartin, director of the investigative response team at Verizon Business, told
InternetNews.com. “What you are seeing are more inside jobs; finaincials are
better secured against the outside but where the vulnerabilities exist they are
internal.”
According to Verizon’s simplified risk calculation matrix based on its data across the
financial, food, retail and technology sectors, the overall likelihood of an external
data loss incident is 73 percent. For financials alone the likelihood is only 56 percent.
However, when it comes to internal sources of data loss, the overall likelihood is 18
percent while in the financial vertical the number jumps to 38 percent.
Sartin noted that the volume of unique records per case in the internal data loss
incidents in the financial industry is also substantially higher than other
verticals.
“So maybe they ‘financials’ are more secure but the problems they do have tend to be
far worse,” Sartin said.
When it came to insider threats, the food industry had the lowest likelihood of data
loss at only 4 percent. In contrast though, the food industry had the second highest
likelihood of external loss at 80 percent (retail came in at 84 percent).
“In a restaurant environment versus financials or high tech, inside jobs are unique
because the restaurant tends to be a small entity,” Sartin explained. “It’s far more rare
for even large chains that settlement requests for authorization ‘are routed’ to a
central point. They usually go out directly to the credit card processor.”
While the risks related to external and internal threats are important to identify,
there is a third source of data loss risk and that comes from business partners and
outsourcing.
“From the numbers we see it’s pretty simple to derive a higher risk factor around
external business partner relationships particularly those related to outsourcing,”
Sartin said.
However, the blame doesn’t necessarily rest with outsourced business partners alone as
the data loss risks are still the same that industries face from internal and external
threats. The fundamental issue, according to Sartin, is looking at data as the item that
needs to be secured.
“The data says yes there is perhaps more risk there ‘with outsourcing’ but what it
really underscores it the idea that there is still a circa 1998 mentality that people
have around information security,” Sartin commented. “They are all about protecting the
company against the outside world.”
In Sartin’s view, all IT users need their fingers on the pulse of data within an
organization, ensuring that all access is monitored and tracked to ensure that data is
not lost.
One positive step in the right direction to ensure data is protected it the PCI-DSS
compliance requirement, which protects payment card data. According to Verizon’s data,
payment card data is most often why systems come under attack. While some have argued
that PCI compliance doesn’t
necessarily mean an enterprise is secure, Sartin is of the view that PCI sure does
help.
“PCI-DSS is one of the better demonstrated programs to set companies up for success in
terms of keeping their companies out of the headlines for security breaches,” Sartin
commented. “I think PCI is pretty darn effective, but you still need a little more than
and tailoring is where there is some perceived benefit.”
Sartin suggests that enterprises should always look for ways to tailor data loss
security prevention around real points of risks in an environment. Protecting against
data loss from external, internal and partner outsourcing related risks is also a
critical step in the right direction for data loss prevention.
“You need to look at where is the data and if you don’t need it don’t store and if you
have to store it make sure it’s secured.”
Article courtesy of InternetNews.com
