By Scott M. McAuliffe, CPA, CISA, CFE,
Partner Risk Advisory Services | Emerging Business Team
In early April, Verizon released its annual Data Breach Investigation Report (2015 Data Breach Investigation Report). In reviewing the report, it’s clear that data breaches are happening to more and more companies — big and small. Highlighted below are some report findings that I found particularly interesting:
- Nine percent of exploited vulnerabilities happened a year after a patch was published. Meaning, companies are not patching their servers/PCs in a timely manner.
- The largest percentage of attacks (29 percent) results from miscellaneous errors. The majority of miscellaneous errors are caused by incorrect delivery (sending information to incorrect recipient), publishing error (publishing nonpublic data to public web server), and disposal error (insecure disposal of personal and medical data). Demonstrating, human error still plays a big role in data breaches.
- Twenty-one percent of attacks result from insider misuse. Of these attacks, 55 percent were the result of individual abusing their user access. Moreover, 38 percent of attacks involved end users – only 6 percent and 2 percent were related to developer or system admin abuse, respectively. This illustrates that it is very important to restrict access based on the individual’s job responsibilities and proper segregation of duties.
- Fifteen percent of attacks result from physical theft/loss. Of these thefts, 55 percent occurred at the victim’s work area.
In short, it seems that data breaches can be prevented with better controls and diligence inside your company. As detailed in a recent article in Security Magazine, emerging businesses should consider these six defenses for Cybersecurity:
- While security costs money, lack of security can cost your company more.
- Establish an incident response plan that trains employees on what to look for, provides contingencies for different incidents and defines roles and responsibilities.
- Understand your IT environment, including your IT partners and vendors.
- Depending on how sensitive the data you maintain, strong passwords might not be enough and should be supplemented with multifactor authentication.
- Access to sensitive information should be restricted to only those people who need it to perform their job responsibilities.
- Retain data and data logs for a sufficient period of time in the event a breach does occur so that it can be adequately investigated and prevented in the future.
Copyright ©2015. All Rights Reserved BNP Media.
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.