External threats coming from partner organisations pose a substantial risk to corporate data security, according to a detailed report examining five hundred forensic data investigations by Verizon Business.
The Verizon report analyses hundreds of corporate data breaches, included were three of the top five largest ever reported, and found that while threats from insiders were the most devastating in terms of impact, the larger number of data breaches attributable to partner companies made them a greater risk factor.
While external (outside the organisation) attacks were far more common, (possibly because 90% of known web based vulnerabilities exploited had patches available for at least six months prior to the breach) the relative damage of these attacks was found to be alot lower.
“Business partners were involved in around 39% of the data breaches handled by our investigators,” the summary states.
“In a scenario witnessed over again, a remote vendor’s details were compromised, allowing an external attacker to achieve top levels of access to the victim’s computer systems.”
A typical method of a partner security breach, explained Verizon Business’s director of investigative response, Bryan Sartin, involves an organised crime ring approaching workers in call centres or support jobs, and saying ‘if you don’t like your job or your boss, this is the solution’”.
It is a difficult system to crack and fairly safe for criminal organisations because “the person behind it is a pawn”. And despite being easily controllable through good access control ( Photo ID Cards ) on behalf of the outsourcing business, “nine out of 10 victims of partial insider security breaches believe they have invulnerable controls on the partial insider connection. Sometimes they don’t even know where the data is stored,” he says.
“In around 70% of cases it’s a third party that informs the corporation, usually banks, law enforcement or customers. The business is usually caught unaware when it finds out. Often we don’t even need specialised forensic tools because the answers are in the data logs in black and white.”
Unexpectedly, the retail and food and beverage industries accounted for over half of the investigation conducted. Financial entitys accounted for another 14% of investigations, while technology services, including software companies, data warehousing firms and telecommunication companies, take up 13% of cases.
Sartin says criminals are turning to easier targets as financial companies become more secure, choosing the path of lowest resistance.
Restaurant attacks are becoming increasingly common, he warns.
“If two out of three customers complaining of fraud attended the restaurant in the third week of December, we go and ask the proprietor if someone stole the bowl of business cards that was provided on the counter. They often say, ‘How did you know about that?’,” he explains, adding that matching credit card numbers to business cards allows a criminal to develop a valuable picture of the victim’s identity.
“You would expect attacks to be getting more sophisticated,” says Verizon’s manager principal of forensics Matthijs van der Wel, “but from a criminals point of view it’s easier to go for the soft target.”
The report comes as stockbroker Merchant Securities was fined £77,000 by the Financial Services Authority for practicing inadequate data security controls to protect sensitive customer information, including asking them about holidays and hobbies to identify customers over the phone.
Improve your Site security, Plastic Photo ID Cards are the ideal way to tighten security at minimal cost.
Fetch important know how about Healthy WeightLoss – check out hyperlinked page.