A Highway Code for Data Handling

There’s much practical advice in the British Computing Society and the Information Security Awareness Forum’s new publication Personal Data Guardianship Code released today.

If you don’t think there’s a need, a recent 2009 Data Breach Investigations Report from IT provider Verizon Business suggested that 285 million records were compromised in 2008.

Of course, the lawyers got to it: “This code is not intended to be legal advice and where the reader is unsure about any aspect of the Data Protection Act or other Acts and regulations they should seek legal advice or visit the Information Commissioner’s web site.”

The Verizon study had some interesting numbers, which also looked at the trend lines since last year’s study:

The results showed
69% were discovered by a third party (-6%).
81% of victims were not Payment Card Industry (PCI) compliant.
83% of attacks were not highly difficult (<>).
87% were considered avoidable through simple or intermediate controls (<>).
99.9% of records were compromised from servers and applications.
91% of all compromised records were attributed to organized criminal groups
99.6% of records were compromised from servers and applications

Who is behind data breaches?

74% resulted from external sources (+1%).
20% were caused by insiders (+2%).
32% implicated business partners (-7%).
39% involved multiple parties (+9%).

How do breaches occur?

67% were aided by significant errors (<>).
64% resulted from hacking (+5%).
38% utilized malware (+7%).
22% involved privilege misuse (+7%).
9% occurred via physical attacks (+7%).

To avoid problems:

Ensure essential controls are met.
Find, track, and assess data.
Collect and monitor event logs.
Audit user accounts and credentials.
Test and review web applications.

Comments are closed.