Data breaches have many causes, from outdated security software to employee mistakes. While enterprises have to contend with a wide array of external dangers – for example, record-setting distributed denial-of-service attacks and flaws in popular open source tools such as OpenSSL – the most serious risks may reside within the organization.
Malicious insiders are well-chronicled for their capacity to cause extensive financial and reputational damage while skirting common defense mechanisms. Vormetric and Ovum's 2014 report, "Insider Threat," surveyed 92 IT decision-makers in Western Europe, finding that more than 75 percent of them planned to increase spending specifically to address insider threats. The growing importance of cloud computing and third-party contractors has also put enterprises at elevated risk of such self-inflicted harm.
User error a leading cause of public sector data breaches
But what about insiders who put assets at risk without really knowing that they do so? Accidental error is becoming a leading catalyst of data breaches, according to the most recent edition of Verizon's annual "Data Breach Investigations Report." The problem is particularly acute among government agencies, in which privileged information is often delivered to unauthorized recipients.
The public sector is already beset by significant security issues, such as reliance on aging software (Microsoft Windows XP and Server 2003 have been mainstays of major government IT deployments for years) and the rising specter of advanced persistent threats. The "oops" factor further complicates cybersecurity strategy.
Verizon's researchers studied more than 50 organizations around the world and discovered that there were 1,367 data breaches in 2013, as well as 63,000 "security incidents" that ran the gamut from leaks to violations of information confidentiality. While governments accounted for only a sliver of actual breaches, they were involved in 75 percent of security incidents
The report determined that just a few threat types between them were the cause of nine in 10 incidents that occurred during its 10-year frame of study. Of these, user error was by far the leader, easily beating out crimeware, DDoS and Web app attacks. Together with insider misuse, it triggered 58 percent of all miscellaneous security events. In government agencies, a lot of the time the error in question is not even high-profile, but a slip-up during a routine workflow.
"One of the more common examples is a mass mailing where the documents and envelopes are out of sync (off-by-one) and sensitive documents are sent to the wrong recipient," stated the report authors. "A mundane blunder, yes, but one that very often exposes data to unauthorized parties."
While these numbers are cause for concern, it's worth noting that the U.S. government is one of the world's largest employers, plus its constituent organizations are bound by law to be transparent about breaches. It is likely that public sector agencies report a far greater share of incidents than their private sector counterparts do.
Insider misuse and error have been cybersecurity problems for years
Verizon's findings confirm the long-term trend of internal issues accounting for an increasing share of security incidents. Last year, research from the Ponemon Institute and Symantec discovered that system crashes and human error were at the root of two-thirds of 2012 data breaches. Moreover, these causes pushed up the average cost of a event by exposing organizations to lapses in regulatory compliance and theft of intellectual property.
The shift from predominantly external to internal threats underscores the importance of securing data wherever it resides. It is no longer enough to simply guard the perimeter against intrusion. Organizations have to keep an eye on network activity and adopt comprehensive, holistic measures, including Internet security solutions that scan for threats and cross-reference their findings against a database of known problems.
By addressing all parts of their infrastructure and patching potential weaknesses, companies shield themselves from a full range of risks. While the rise of user error as a cause of public sector breaches is perhaps the most revelatory part of the 2014 Verizon report, the study also detailed how each vertical faces its own distinctive set of core threats, making the case for a multifaceted strategy toward cybersecurity:
- More than half of cyberattacks on manufacturers are either DDoS or espionage
- Seventy-five percent of incidents affecting financial services providers are attacks on Web applications
- In retail, point-of-sale intrusions constitute 31 percent of breaches, while DDoS is not far behind at 22 percent
Taken together, these results paint a picture of a threat landscape that requires attention to both traditional external dangers and rapidly evolving internal factors, too. In an August 2012 article, "How to Thwart the Digital Insider – an Advanced Persistent Response to Targeted Attacks," Trend Micro vice president Tom Kellermann advised enterprises to turn to data analytics and network monitoring to make sense of the rising volumes of activity that they had to sift through while protecting assets.
"Gaining this kind of advanced situational response requires organizations to look both outside and inside their networks," wrote Kellermann. "Firstly, they need to grasp the importance of big data analytics in being able to correlate and associate the various nuances of cyber crime campaigns occurring in the wild with what's going on inside the network. This kind of smart data modeling and analysis should be able to spot if there are any correlations between cyber attack activity on the Internet and an organization's IP addresses, users, domains and networks, giving them the information they need to act."
Furthermore, Kellermann pointed out that companies should be aware that malicious insiders sometimes patch the same vulnerabilities that they exploit to break into critical IT infrastructure, effectively covering their tracks. This tactic gives a sense of how difficult it can be to mitigate internal risk, since security teams have to be wary of employee-enabled APTs that may be triggered intentionally or by a simple error that exposes a hole in the network.
Whether part of a deliberate espionage scheme or just another wrongly sent email, internal risk factors merit more attention from the cybersecurity community. Ideally, more organizations will follow the government's lead and be transparent about what happens when they are breached. This way, everyone can learn more about the leading threats to data, privacy and cloud security.