Study: most data breaches preventable.

The Verizon Business Risk Team reviewed more than 500 corporate data breaches between 2004 and 2007 and found that 87 percent could have been prevented--if only the companies had the proper security measures in place at the time of the breach.

After four years of forensic research involving more than 230 million records, the "2008 Data Breach Investigations Report" found that 73 percent of breaches resulted from external sources, while 18 percent were caused by insiders. Thirty-nine percent implicated business partners--a number that increased five-fold over the time period of the study--while 30 percent involved multiple parties.

The first-of-its-kind study looked at data breaches in a wide variety of industries, including retail, food and beverage, technology, and financial services. According to the findings:

* Most breaches resulted from a combination of events rather than from a single action. Specifically, 62 percent were attributed to a significant error; 59 percent resulted from hacking and intrusions; 31 percent incorporated malicious code; 22 percent exploited a weakness; and 15 percent were due to physical threats.

* Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.

* Nine of 10 breaches involved some type of "unknown"--unknown systems, data, network connections, and/or account user privileges. Also, 75 percent of breaches were discovered by a third party rather than the affected organization.

* Seventy-five percent of all data breaches result in compromised data within a matter of days. Despite this, the study "also reveals that 63 percent of companies don't learn about data breaches until months after their data has been compromised. Even after breaches are discovered, the study finds that nearly half of them take weeks to fix.

The study urges businesses to be proactive and provides key recommendations to help them protect themselves:

* Align process with policy--In 59 percent of data breaches, organizations had established security policies and procedures, but they had not been enacted through actual processes. Create solid data protection policies and then follow through.

* Achieve "essential" then worry about "excellent"--Identify a set of essential controls and ensure they are implemented across the organization without exception before moving on to more advanced controls.

* Create a data retention plan--Sixty-six percent of breaches involved data that the victim did not know was on the system. Identify and quantify the types of data retained during business activities and then work to categorize it based on risk and liability.

* Control data with transaction zones--Investigators concluded that network segmentation can help prevent, or at least partially mitigate, an attack.

* Monitor event logs--Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Processes that ensure the timely, efficient, and effective monitoring of and response to network events are critical to protecting data.

* Create an incident response plan-If a breach occurs, be ready to act. An effective incident response plan will ensure a breach can be stopped before data is compromised.

* Increase awareness and testing--Educate employees about the risks of data compromise, their role in preventing it, and how to respond. Partner Peril According to a study by the Verizon Business Risk Team, business partners put companies at the greatest risk for data breaches, closely followed by employees. Source Likelihood Impact Risk

(%) (# of records) (pseudo) External 73 30,000 21,900 Internal 18 375,000 67,500 Partner 39 187,500 73,125 Source: Verizon Business RiskTeam, "2008 Data Breach Investigations Report"