It's all well and good to be concerned about information security and data breaches, but a one-size-fits-all approach may not be the best way to go.

Jim Manico, OWASP Global Board Member

October 3, 2008

2 Min Read

It's all well and good to be concerned about information security and data breaches, but a one-size-fits-all approach may not be the best way to go.According to a report from the Verizon Business Risk Team (PDF), risk varies depending on your business' specific industry in terms of sources for attacks and their level of sophistication. Verizon analyzed four verticals and found:

1. Financial services: 56% of breaches came from outside of the organization, 41% from third parties (business partners), and 38% from inside of the organization.

2. High-tech services: 55% of breaches came from outside of the organization, 39% from inside of the organization, and 18% from third parties.

3. Retail: 84% of breaches came from outside of the organization, 36% from third parties, and 11% from inside of the organization.

4. Food and beverage: 80% of breaches came from outside the organization, 70% from third parties, and 4% from inside the organization.

The numbers within each vertical add up to more than 100 because many breaches involve multiple sources, the study explains, which goes on to point out that the tech services category was the only one that faced a bigger threat from within than from business partners: "It stands to reason that organizations in this industry likely employ a high percentage of tech-savvy staff and grant them high levels of access to numerous systems. Unfortunately, some find that access to sensitive and valuable resources is a temptation too hard to resist. Facing similar temptations, insiders in the Financial Services industry were behind a large proportion of breaches as well." Along the same lines, the most sophisticated of attacks are happening within the tech and financial services markets, though a bird's eye view of all four markets points to low-difficulty attacks being the culprit at the majority of firms. Another finding: how widespread errors (mostly indirect) contribute to systems being compromised. Hacking was also a major culprit, though in financial services deceit and misuse (using granted resources and/or privileges for any unauthorized purpose) was cited more frequently.

The report breaks down plenty more info, including how attackers are getting in, what kinds of information they're after (three words: payment card data), and the life cycle of a breach. Granted, there's much to take in, but the drilldown exercise that Verizon performed is one you should do for your business as well.

According to Bryan Sartin, a contributor to the report who also spoke with Dark Reading, employing a generic risk calculation, such as the likelihood of insider threats, may be a mistake unless industry-specific factors are accounted for. Although there are many studies and calculators that discuss trends in security attacks, very few of them break their data down by industry, and that breakdown may be crucial to accurately calculating risk in a particular enterprise, he added.

About the Author(s)

Jim Manico

OWASP Global Board Member

Jim Manico is a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. OWASP's mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. OWASP's AppSecUSA<https://2015.appsecusa.org/c/> conferences represent the nonprofit's largest outreach efforts to advance its mission of spreading security knowledge, for more information and to register, see here<https://2015.appsecusa.org/c/?page_id=534>. Jim is also the founder of Manicode Security where he trains software developers on secure coding and security engineering. He has a 18 year history building software as a developer and architect. Jim is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. He is the author of Iron-Clad Java: Building Secure Web Applications<http://www.amazon.com/Iron-Clad-Java-Building-Secure-Applications/dp/0071835881> from McGraw-Hill and founder of Brakeman Pro. Investor/Advisor for Signal Sciences.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights