2015 Second Annual Data Breach Industry Forecast – Experian
- “You’re going to be hacked. Have a plan.” – Joseph Demarest, Assistant Director of the FBI Cyber Division
- More than 500 million financial records have been stolen by hackers in the past 12 months – attributed to Joseph Demarest, Assistant Director of the FBI Cyber Division
- 59% of security incidents in the last year were the result of employee negligence and malicious insiders. These are also the least reported causes of security incidents, so this number is most likely low. – 2013 Cost of Data breach Study: Global Analysis, Ponemon Institute (May 2013)
- 54% of organizations say that they conduct security awareness training for employees and other stakeholders that have access to sensitive or confidential personal information. – Is Your Company Ready for a Big Data Breach?, Ponemon Institute (September 2014)
As the New Year begins, predictions and speculation about industry trends emerge in abundance. After reading Experian’s Annual Data Breach Industry Forecast there is one prediction made that is especially interesting to me. Experian notes in their report that 59% of the security incidents in the last year were caused by either malicious insiders or employee negligence. Given that incidents caused by insiders are the least commonly reported incidents, this number is most likely low. It is also likely to grow this year as organizations invest in technology to prevent external intrusions and the exfiltration of data rather than address the problem of securing data internally.
While ensuring that a company’s network is secured from external threats is a necessary security measure, many companies rely too heavily on their network security to protect their data. Network security does little to protect information from insider threats and the potential for people on the network to be negligent. A wall around the village won’t stop a local resident from robbing the village bank if the only security the bank relies on is the village wall. File systems are especially difficult to secure, given the complexity of controlling access to share and folder resources. To add insult to injury, it is nearly impossible to fully understand what information lives on a file system. When sensitive data is left out in the open on a file system or financial information is erroneously stored in a share that the entire sales force has access to, network firewalls and monitoring systems won’t stop someone with access from taking the data or even sending it outside of the organization.
Even in cases of external intrusion, ensuring that only the correct people have access to information is crucial. Though it has been discussed to death at this point, the recent Sony breach is a fantastic example of why network security simply isn’t enough. Once an external threat has gotten passed the network security layer, they might as well be an internal threat. If a thief from another village can get past the village wall that provides the only security for the town, the thief looks just like a local resident and can rob the village bank. Any accounts that an intruder compromises grant them access to as much information as that account is privy to. If the account has access to sensitive information that it shouldn’t have access to, or data is left out in the open in the environment it is easy pickings for the intruder. In the case of Sony, the intruders discovered contracts, scripts, passwords, financial information and other variants of unstructured data sitting unprotected in the environment.
Experian’s prediction that insider threats will continue to be the leading cause of security incidents in 2015 is probably a very safe one. The problem is complex and virtually impossible to solve in its entirety given the fact that internal security is both a technical and a human issue. There are products designed to mitigate insider threats and increase data security, the STEALTHbits’ StealthAUDIT and StealthINTERCEPT products amongst them, but it will be important for organizations to educate their employees as well. According to Experian, only a little more than half of organizations say that they conduct security awareness training for people who have access to sensitive information. That number seems low when you look at the ramifications of a breach and with Sony hot on everyone’s radar, it will be interesting to see how organizations prioritize internal data security in 2015.