The majority of data breaches are caused by attacks that could otherwise be avoided with a greater attention to data protection practices, says Neira Jones, head of security at payment card company Barclaycard.
According to a recent Techworld report, Jones asserted at the Inforsecurity Europe Press Conference in London that 97 percent of all data breaches are caused by SQL injection, an attack that exploits vulnerabilities in a website's coding to perform operations that were not intended by the designer. When carried out successfully, such attacks can lead to the theft of sensitive information, often user names, passwords, credit card numbers and other data.
Though this brand of cyberattack has been around for more than a decade, its capacity for damage has never been greater. Jones noted that the rise of smartphones, tablets and other interconnected devices makes SQL injection more dangerous than ever, as cybercriminals have more endpoints from which to steal information.
While acknowledging that cyberattacks are inevitable, Jones noted that 87 percent of them could be prevented by taking proactive data security steps, according to Techworld.
Threat scenario modeling, for example, has proven to be an effective way of detecting vulnerabilities in a website's software. The practice essentially requires developers to make a detailed assessment of a website or application and identify any threats that are relevant to its application. This is accomplished by gaining a clear understanding of the application's or website's mechanics and rooting out any vulnerabilities that may be present.
"I always say, if anyone says APT [advanced persistent threat] in the room, an angel dies in heaven, because APTs are not the problem.,” Jones said, according to Techworld. “I'm not saying that they're not real, but let's fix the basics first. Are organizations completely certain they're not vulnerable to SQL injections? And have they coded their web application securely?"
Jones certainly isn't the first to express this sentiment. In July 2011, identity theft protection firm IdentityHawk published a report asserting that 97 percent of data breaches are avoidable. However, IdentityHawk attributed the breaches to a wider array of vulnerabilities, including those carried by insiders – whether maliciously or unintentionally.
According to IdentityHawk, the vast majority of breaches could be avoided through "simple or intermediate controls." Organizations can also go a long way to protect their data by complying with certain industry regulations, like the Payment Card Industry Data Security Standard or the Health Information Portability and Accountability Act, for example.
Such standards are put in place to not only protect the consumer, but also to ensure that the organization is doing everything within reason to keep sensitive information safe.
Though it is unlikely that data breaches will ever be completely eradicated, it is clear that certain moves could be taken to minimize their occurrence. In addition to complying with various standards and adopting techniques such as threat scenario modeling, organizations should also consider taking a data-centric security approach, which protects the information itself rather than individual endpoints. Not only will this ensure that an organization is safe from the regulatory sanctions that come with a data breach, it will also boost the customer's or business partner's confidence that their information is well protected.
"Data breaches have become a statistical certainty,” Jones added, according to Techworld. “If you look at what the public individual is concerned about, protecting personal information is actually at the same level in the scale of public social concerns as preventing crime."
Security News from SimplySecurity.com by Trend Micro