Data Breaches
Confidential information continues to be extracted from organisations around the world, despite increase in security technology and security education spending. Extracts from a report by McAfee based on their research
Essential tools, such as data loss prevention (DLP) and endpoint detection and response (EDR) that could stop a majority of these breaches remain stubbornly under-deployed or are running in monitor mode. The good news is that the increase in security education appears to have reduced the incidence of accidental and intentional insider data theft. Overall, IT professionals are now discovering the majority of these breaches and hold themselves responsible for data loss. Many also think that senior executives should lose their jobs if a breach occurs on their watch, possibly because
those executives demand more open policies for themselves.
Methodology
The IT security professionals who were interviewed in December 2018 experienced an average of six significant data breaches over the course of their careers. In almost three quarters of these incidents, the data breach was serious enough to require public disclosure or have a negative financial impact on the company, an increase of five percentage points from the previous 2015 data exfiltration study.
This new study looks at the data breach realities and responses of commercial organisations (1,000 to 5,000 employees) and enterprise organisations (more than 5,000 employees) in Australia, Canada, France, Germany, India, Singapore, the United Kingdom, and the United States.
It surveyed 700 information technology and security professionals with decision-making authority in a wide range of industries who experienced at least one serious data breach in their careers. They were asked about breach and exfiltration details, insider versus external threats, and the people, processes, and technologies that helped prevent these breaches, or could have helped prevent them. Consistent with previous studies, theft of personally identifiable information (PII) is the number one concern. However, increases in intellectual property theft have raised it to a tie for first place, well ahead of appropriation of payment card information.
Who is Taking the Data?
External actors and threats are responsible for an increasing percentage of data theft, rising from 57% of breaches in 2015 to 61% in 2018. External factors include hackers, malware authors, organized crime, nation states, and activists. The most significant change over the past three years in this group was an increase in malware- driven theft, rising from 23% in 2015 to 29% in 2018.
Internal actors are a mix of employees, contractors and other parties with inside access. This category includes both intentional and accidental exfiltrations. Employee driven breaches account for almost 60% of internal incidents. The most significant changes in this group are a four-point increase in accidental breaches (27% to 31%) and a six-point drop in intentional breaches (30% to 24%). The shift towards more accidental breaches points to the continued importance of repeated security awareness training.
Breaches Are Occurring
Data theft continues to affect most organisations, with 61% of IT professionals reporting at least one data theft incident over their careers. The frequency of these incidents appears to be increasing, as 61% reported a breach at their current company, but only 48% at their former company.
External actors and threats are responsible for an increasing percentage of data theft, rising from 57% of breaches in 2015 to 61% in 2018. External actors include hackers, malware authors, organized crime, nation states, and activists.
Most Vulnerable Internal Groups
Severity of breaches is also growing. Over the past three years, the percentage of organisations experiencing a breach serious enough to require public disclosure or having a negative financial impact on the company has risen from 68% to 73%. On average, respondents have experienced almost six serious breaches each during their professional lives to date, 5.4 each at commercial organisations and 6.1 at larger enterprises.
New to this year’s report was a question about which internal groups generate the most data leaks. Interestingly, IT or security departments are involved in just over half of all leakage events, and more than 60% of those occur in Asia-Pacific organisations.
Business operations and production are second at 29%, possibly due to their extensive interactions with a wide range of external entities. Sales employees are in third place, at 26%. A common case in sales is individuals downloading their contacts prior to leaving the company. Least likely groups to cause leaks are legal (6%), finance (12%) and human resources (15%), demonstrating that these groups are recognizing the sensitivity of the information they work with. Sixty percent of respondents use information like this to target their high-risk groups for additional information security training.
What Data Can the Insiders Take?
Personally identifiable information (PII) and intellectual property (IP) are now tied as the data categories with the highest potential impact to 43% of respondents. Notably, PII is of greater concern in Europe (49%), most likely due to the recent enforcement date of the General Data Protection Regulation (GDPR). In Asia-Pacific countries, intellectual property theft is of greater concern (51%) than PII. Continuing improvements in fraud detection and prevention methods for credit cards are likely responsible for the declining concern over theft of payment card information (PCI), which now ranks third at 30%.
When it comes to intellectual property theft, direct competitors are seen as the primary source of concern (23%), followed by internal employees (19%). This may be a combined threat due to job changes and movement of people between companies within the industry.
In general, companies consider structured data to be a higher priority for protection (45%) than unstructured data (39%), but North American firms are most likely to consider both equally important (48%). In the survey, structured data is defined as databases typically associated with information such as payment card data and health records. Unstructured data is defined as documents typically associated with intellectual property like formulas, designs, and proprietary knowledge.
International Espionage
Overall, nationstate actors are the number three source of concern for international property theft. The top countries of concern are China, Russia and North Korea. For some industries, however, international espionage is the number one concern for IP theft. These include automotive, biotechnology, electronics,
financial services, and manufacturing. Overall, 55% of organisations buy insurance to protect themselves from IP theft, and a further 36% plan to add this protection within the next few years.
How are they taking data?
Confidential data is being stolen by a wide range of vectors, both electronic and physical. Overall, database leaks and network traffic are the most common vectors. However, corporate email is number one in North America, while USB drives are the number one exfiltration vector in European and Asia-Pacific countries.
When it comes to insider threats, email leakage is the biggest security hole, followed by risky users and USB drives. All of these could be significantly reduced with additional education on corporate policies and appropriate online behaviour. This helps explain why education is one of the top two tactics targeted to help reduce exfiltration.
How are the clouds doing?
Cloud applications and infrastructure are widely deployed; yet do not appear to result in any more
data theft than traditional networks and data centres. Almost half of the organisations surveyed (46%) use a hybrid cloud/on-premises data storage approach, while 29% are cloud only; and 25% keep their data on premises.
Around two-thirds (63%) of the breaches experienced by the respondents occurred on traditional networks, and one-third were on cloud infrastructure. Even with the substantial increase in cloud usage over the past three years, this ratio has remained the same, pointing to the potentially effective security available for or from cloud providers. However, this does not stop people from worrying about the cloud. When asked if they had big concerns about Infrastructure-as-a-Service (IaaS) cloud providers, respondents named Amazon Web Services (AWS) (22%), Google Cloud (21%), Oracle Cloud (18%), and Microsoft Azure (16%). When presented with a list of cloud applications and services and asked which ones they are most concerned about, respondents listed Microsoft OneDrive as number one, followed by Cisco WebEx and Salesforce. Since these popular cloud applications are widely used, it makes sense that they would be top of mind for respondents.
What to Do About It
Security technology continues to be the first priority in terms of keeping up with evolving threats for about half of organisations worldwide (49%), followed by enhancing the skills of their people (29%), and changes to business processes (22%). One reason that people are not the top priority is the scarcity of security expertise. Identifying and hiring additional security people may not be a viable option, due to lack of availability or the salary expense.
Over the last 12 months, more than half of all organisations have purchased additional security products, invested in employee security training, and enhanced the capabilities of their security operations centre (SOC). Just under half have hired more security staff, while a third has chosen to work with a managed security service provider. DLP, EDR, and CASB are the typical security technologies deployed to combat data theft.
All too often, even if these tools are deployed in an organisation, they are left in a default configuration or in monitor- only mode. There can be several reasons for this, but the two most common are lack of experienced resources to properly configure the tools or a belief that automatically blocking suspicious activities causes too much disruption to business activities or production processes.
After getting the above tools deployed and configured effectively, the top technology-related step towards reducing the risk of data exfiltration is integrating the multitude of security technologies. For example, while 62% of organisations interviewed have both CASB and DLP in place, 81% of those have separate policies and/or management consoles for these tools, resulting in delayed detection and remediation actions.
Technology integration and employee education are thought to be the top two actions to reduce the risk of data exfiltration. However, full deployment and active configuration of fundamental security technologies - such as CASB, DLP, EDR - is an important step that would be likely to stop as much as 80% of breaches experienced by respondents.