The 2017 Verizon Data Breach Investigations Report has been released. This latest report in the long-running series features a significant tranche of data as well as some shocking but actionable insights that could drive fundamental improvements to organisational approaches to security – and hence lower organisational and regulatory risk. In this brave new era, no executive should ignore the conclusions of this annual report.
Here are some headline figures:
- 81% of hacking-related breaches leveraged either stolen or weak passwords
- 25% of breaches involved internal actors
- 51% involved criminal gangs
- 21% were related to espionage
- 39% of breaches occurred in the most heavily regulated industries (Financial Services and Healthcare)
The report itself gives a very detailed review of these and many more subjects, but here I’d like to focus on the risks apparent just from these high-level figures and draw some conclusions from my own perspective – and hopefully provide insight into the art of the possible.
The headline figure of 81% of hacking-related breaches (62% of breaches featured hacking) relating to stolen or weak passwords marks a continuing trend. As users we’ve all been under pressure for many years to create and remember passwords for all variety of digital and non-digital services. So, the majority of us recycle a few passwords over and over, making our lives easier but far more dangerous. One slip-up and we provide access to a vast range of services we use.
Whose fault is this? The user, for not remembering a long, complex, alphanumeric case-sensitive password, with symbols for each service they use? Or the service provider, for not offering more human-enabled services? For example, enabling simple Multi-Factor Authentication (MFA) technologies would increase security, providing a second layer of proof by identifying the user by password AND something else, such as access to a specific physical device.
Next: 25% of data breaches involved internal actors. These could be employees, partners, contractors, etc., and the (very sad) headline number means that organisations must strive to ensure that access to their content is based on need. If I reasonably require access to data or files to do my job, then I should have access to only that – not everything. Contractors, for example, hold a specific skill. When organisations use contractors to complete a task, they grant access to organisational content to achieve this; but when the job is done, contractors often move on to competitors to do the same job. They should have access to just enough information to complete their task properly and efficiently, but once that job is done, access should be removed quickly. When access to sensitive information is required, using tools such as Information Rights Management (IRM) can ensure that only specific actions can be taken with that content (e.g., read-only, no printing), and watermarking clearly identifies the origins of a document right on the page, allowing use but not theft.
Where access is achieved by bad actors we should be working to ensure that all sensitive business information or Personally Identifiable Information (PII) has been rendered useless. Encryption is a good method of achieving this; and functionalities like IRM or Customer Managed Encryption Keys (CMK) ensure access to content is switched off, helping prevent espionage.
The issues presented here are pertinent across all industries. The danger of ignoring them is not just the loss of business information but also the potential loss of PII; the results are more than just the prospect of non-compliance with regulatory issues (such as from the impending GDPR); reputational risk is also a possible outcome, resulting in lowered market value and loss of customers.
While these challenges may seem daunting, it’s important not to ignore them. A few simple steps, such as incorporating MFA into password-protected systems and using technologies such as secure cloud collaboration technologies, can make light work of these big challenges.
And if you are in a highly regulated industry (where 39% of attacks occur) then you should be really on your game!
For more details, you can read the full Verizon Data Breach Investigations Report.