Data breach incidents are increasing, study shows

My official title may be "analyst," but market research is the part of my job that appeals to the geek in me. Good thing I work at ESG, where we do market research around information assurance all the time.

Given an IT security landscape highlighted by regulatory compliance, publicly-disclosed data breaches, and increasingly sophisticated threats, we often ask survey respondents whether their organization suffered a data breach in the last 12 months. ESG has probably asked this very question in several research projects over the past few years. In the past, about 30 percent of large organizations (i.e. 1,000 employees or more) claimed that their organization had suffered a data breach within the last year.

This pattern was fairly consistent from 2005 through 2007, so I expected to see similar results when we conducted another research survey focused on application and database security at the end of 2008. I was shocked to see that things have actually grown much worse. In a November 2008 survey of 179 North American-based security professionals, 56 percent claimed that their organization had suffered a data breach within the past 12 months. In further analysis, 61 percent of organizations with 1,000 to 5,000 employees suffered a data breach in that time frame. It's easy to assume that these smaller firms are more at risk since they are likely to have fewer security technologies in place and smaller security staffs. Perhaps this is true, but even bigger companies are suffering data breaches--49 percent of organizations with 5,000 employees or more endured at least one data breach of their own.

Armed with data from several years of surveys, I think it is safe to assume that things are getting worse, not better. Sensitive data continues to flow throughout the enterprise, ending up in e-mails and IMs, laptops, and thumb drives, and into the hands of malicious or careless employees--an uphill battle indeed.

We all realize that the economy stinks and CIOs absolutely must cut IT spending. That said, the ESG data suggests that they take a prudent approach to security spending cuts. Remember that one publicly-disclosed breach can cost a lot more than a security staffer, technology safeguard, or additional training. Just ask TJX, Heartland Payment Systems, Monster, or the 56 percent of large organizations represented in the ESG Research data.

[ManuNamboodiri]

Disclaimer - I work for BitArmor.
Jon- Interesting to note that the difference in number of breaches between larger and smaller organizations is not that huge - does this imply that current security practices being implemented in larger organizations are not doing their job? As you said, an uphill battle indeed - the number of devices increasing, the networks multiplying and data getting even more distributed. I don't think the current approach of protecting mainly the data at rest on devices is working and the numbers seem to reflect that. I believe an information-centric approach of protecting the data itself is the more logical way to address these challenges.

[Identity-Theft-Speaker]

It shouldnt be shocking that things are worse. We've just come off a bullrun of living high, cheap money and easy living. Government, the local carwash owner and even IT is made up of people, many of whom who are fat and lazy and have been asleep at the wheel. The state of security reflects that. Criminal hackers are lean and mean and have had their priority's in order for a decade. www.IDTheftSecurity.com

[jon_collins]

Hi Jon,

Hmm. Agree with the prognosis, but am wondering about the cause. Given that IT has been foisted on our ex-hunter-gatherer cultures and still-evolving brains, is it any wonder that, when we are given in the space of only a few decades, an electronic playground as full of holes and as empty of agreed behaviours that we have today, that the level of data breaches should be so high? I wish I had the answers, but I know (sorry, vendor comments) that technology ain't going to solve the problem by itself. My current philosophy is, 'one-third technology, two-thirds best practice', which feels about right though woudl be difficult to prove scientifically.

Cheers, Jon
Freeform Dynamics
http://www.freeformdynamics.com
http://viewsfromthebridge.wordpress.com/
twitter: jonno

[cbrenton]

Based on my experience in the field, the situation is worse than the numbers here suggest. Remember that the respondent has to actually be aware a data breach occurred and then has to be willing to admit to it to someone outside their organization. Factor these in, and those 50%-60% numbers end up higher. About 7 out of 10 times that I walk into an organization who is sure they are secure, I can find at least one compromised host they didn't know about.

Continuump mentioned looking for solutions, here's what I've found works:
1) Check your firewall logs. Specifically, spend some time looking at outbound traffic flow during non-business hours (both permitted and blocked, *especially* TCP/80). Weed out known patch sites and investigate everything else.
2) Forget about the treadmill that is A/V signature updating and move towards application control, also sometimes referred to as application white listing. I work with sites that see zero malware infections despite the fact that they dumped their A/V solution over a year ago.
3) The target of choice for serious attackers is desktops, not the servers. With this in mind consider deploying HIPS software on every system. Focus on back end management capability rather than slick features. Something that runs as a kernel module works best.

[MChuvas]

Many breaches are occurring due to data being lost by employees, third parties or while in transit. This is one of the areas needing to be controlled....
How do you control who accesses your data once it?s left your physical control? How do you audit what has happened to your information?