Beware of the self-inflicted data breach

While government agencies invest in protecting themselves from external cyber threats, a Verizon report to be published April 23 warns that many data breaches are self-inflicted.

Of the over 63,000 cyber incidents across public and private industries that Verizon studied for its 2014 Data Breach Investigations Report, more than a quarter were due to miscellaneous errors such as accidental online publishing or sending an email to the wrong recipient. As the country’s largest employer and a gatekeeper of untold amounts of data on employees and constituents, the federal government is prone to sending non-public information to the wrong person, the report found.

Agencies might be aware of the problem “on a micro-scale, but they don’t know how big the problem really is,” said Chris Porter, managing principal of the Verizon Cyber Intelligence Center and co-author of the report.

Installing data loss prevention software and instituting “a blanket prohibition against storing un-redacted documents on a file server that also has a Web server running” are two ways that organizations can guard against unintentional disclosures of sensitive data, the report said.

The number of organizations contributing data to the annual report has risen sharply in the last few years, from five in 2012 to 18 organizations last year, and now 50 organizations in 2014, Porter said. U.S. government and government-related organizations that contributed data this year included the Department of Homeland Security, the Electricity Sector Information Sharing and Analysis Center, and the Secret Service.

Verizon decided to expand the scope of the report significantly this year by including data from cyber “incidents,” or whenever a system was threatened, and not just when an actual theft occurred. As organizations shared their security data for the report, “we realized that they had a lot more data than just confirmed data breaches, and that there was a lot for us to learn from focusing on other types of incidents as well,” Porter added.

There is still a need for detailed studies of how individual cyber breaches occur, he argued. While public disclosure laws often require organizations to tell their customers about a breach, “the one thing that we don’t learn about any of these events is how they happened,” he said.

The National Transportation Safety Board thoroughly investigates every plane crash and delivers a post-mortem report so airlines can avoid the same mistakes, Porter said. Why can’t the security industry be the same way?