Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


A Breach a Month - Or More

New study shows most companies suffer between three and 22 violations of sensitive data each year

If your company has suffered fewer than three breaches of sensitive data in the last year, congratulations -- you are in the top 10 percent of security organizations in the U.S.

That's the conclusion of a new study that will be unveiled tomorrow by the IT Policy Compliance Group, a consortium of security organizations backed by Symantec. The study, conducted between August and October of last year, surveyed 201 companies of varying sizes about their experiences with data breaches, and their practices for preventing them.

The study found that the vast majority of companies -- about 70 percent -- had suffered between three and 22 breaches of sensitive data in the past year. A whopping 20 percent have experienced 22 or more. "Breach" was defined as unauthorized access of data, which includes loss, theft, and inadvertent viewing.

"What this says is that most companies haven't put all the pieces together yet," says Jim Hurley, managing director of the IT Policy Compliance Group and a former analyst at Aberdeen Group. "A lot of them are attacking the problem from one perspective and missing out on others."

So what's the difference between the top tenth percentile, which were hit by three or fewer breaches, and the other 90 percent of the survey base? Some of the answers may surprise you.

For one thing, there's a difference in the way organizations define their "sensitive data." The least successful organizations define it narrowly as financial and critical business information. The most successful organizations include IT security data and IT compliance data in their "sensitive" lists, according to the study.

"What we found throughout the study was that the organizations that did the best were the ones that paid the most attention to security data, compliance data, and security controls and policies," Hurley says. For example, the most successful organizations are those that not only have gained regulatory compliance, but who monitor and check that compliance as frequently as once a week, he says.

"What we saw is that there is a real benefit to establishing strong controls and policies and maintaining them," Hurley says. "If you think you can protect your data by just encrypting everything, you're mistaken."

How do the breaches occur? The top three causes are user error, violations of the corporate security policy, and Internet hacks and attacks, the study says. "But it was interesting, because we found a whole range of other causes that are less frequent, but still have an impact," Hurley says. "Most companies focus mostly on just the top three." Employee malfeasance, insufficient auditing, and insufficient controls are among the areas that many companies overlook, he says.

The origins of data breaches were no great surprise. The most frequently cited losses emanated from PCs, laptops, and mobile devices, followed by leakage via email or instant messaging. Many companies also reported breaches through applications and databases, the report says.

The ITPCG also offered a preview of data it will be releasing in its next study, which focuses on the financial impact of publicly disclosed data breaches. According to that study, companies that suffer a public breach lose an average of 8 percent of their customer base, and show a corresponding decline in revenue. In addition, those companies incur costs of approximately $100 per lost record due to the time and effort required to notify customers of the breach and restore customer data, Hurley says.

Aside from focusing greater attention on policies and controls -- such as monitoring security and usage logs -- companies should take steps to reduce human errors, the report advises.

"It's more than just user training, it's making users accountable for their actions," Hurley says. One company Hurley interviewed has instituted a compensation plan that depends, in part, on maintaining security, he reports. "If there's a breach, the employees don't get their commissions," he says. "I think a lot of companies would be surprised at how much they could improve security with the right carrots and sticks."

An executive summary of the report can be found here. Users must register with the ITPCG to get a full copy of the 32-page study.

— Tim Wilson, Site Editor, Dark Reading

  • IT Policy Compliance Group, USA
  • Symantec Corp. (Nasdaq: SYMC) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Attackers Leave Stolen Credentials Searchable on Google
    Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
    How to Better Secure Your Microsoft 365 Environment
    Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: We need more votes, check the obituaries.
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-01-26
    KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
    PUBLISHED: 2021-01-26
    The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
    PUBLISHED: 2021-01-26
    SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
    PUBLISHED: 2021-01-26
    NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
    PUBLISHED: 2021-01-26
    NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...