Hacking Surpassing Human Error For Data Breaches?

from the is-that-good-or-bad? dept

A couple years ago, we noted that the old claim that "insiders" were the biggest data breach threat was no longer true, as other threats were becoming a much bigger deal. While that study seemed to use very different methodology, a new study is out that agrees that insiders are a much smaller threat, but notes that outside hacking surpassed "human error" as the cause of data breaches in 2009. While it's good that human error issues are decreasing as a percentage, is it worrisome that outside hack attacks are now becoming such a major problem? The good news in the data is that there were supposedly fewer reported attacks in 2009 (by a pretty large amount) compared to 2008 -- so one possible reading of the data is that people have been effective in preventing things like human error breaches much more often, which is what allowed outside hack attacks to take the lead on a percentage basis. However, with recent stories of things like China's hack attack on Google it seems like we'll be hearing more and more stories about these sorts of attacks for one important reason: in many (certainly not all) cases, they can be quite effective.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Falvour, Jan 19th, 2010 @ 11:08pm

    Straw man?

    "Insiders" != "human error", and it's pretty disingenuous to act as though those are equivalent. Take the TJX data breach, for example -- insider info could have been used, and that's no "human error".

    Retail stores know very well that their own employees are the greatest security risk for shoplifting or malfeasance, and a survey last year apparently indicated that a fair number of IT pros will grab confidential data on the way out of the company, even if they don't use it. Didn't anybody here read Halting State?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Mike Masnick (profile), Jan 20th, 2010 @ 1:47am

      Re: Straw man?

      "Insiders" != "human error", and it's pretty disingenuous to act as though those are equivalent.

      Sorry, I wasn't saying they were the same. I was just comparing the results from two different studies.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Not a Perv, Jan 20th, 2010 @ 4:58am

      Re: Straw man?

      "Retail stores know very well that their own employees are the greatest security risk for shoplifting or malfeasance"

      Interesting, because they act like their customers are thieves and use that as an excuse to spy upon them as they try on clothes in the "privacy" of those little rooms.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Bad Security Dept, Jan 20th, 2010 @ 5:03am

      Re: Straw man?

      "Take the TJX data breach, for example -- insider info could have been used, and that's no "human error"."

      What are you saying?
      The root cause of the TJX breach was not due to human error?
      That's laughable.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jan 20th, 2010 @ 5:59am

        Re: Re: Straw man?

        Only if you consider a catastrophic failure to implement and follow known (and incessantly repeated by data security folks) best practices a human error. And I mean that's crazy talk. Or maybe if you consider a tight focus on passing a security systems audit that you know about in advance and that only happens once a year--while ignoring it the rest of the year--to be a human error. Most likely, though, it's just a stunning coincidence that the data crime attacks become more sophisticated as the defenses fall out of use. Right?

         

        reply to this | link to this | view in chronology ]

  •  
    icon
    Chargone (profile), Jan 20th, 2010 @ 2:34am

    you know, I'm always wary of claims that 'reports of X have reduced' is a good thing. while it can represent that the issues have reduced, and thus the problem is being solved, it can also very often mean that the people who would report things have so lost faith in the system that they no longer see it as worth the effort (that's happened here with a lot of lesser crimes. people just don't bother reporting them much.) alternatively, for many businesses it's in their interest to appear more secure than they acutally are, so they may simply under report such.

    of course, there's no Other way to know how much of such a thing is happening, i suppose, but the automatic assumption that less reports = less issues isn't always the right one.

    'course, this may be simple paranoia speaking. hehe.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Simon, Jan 20th, 2010 @ 3:42am

    Insider Attacks

    Keep in mind that insider attacks are often quietly dealt with to avoid embarrassment to all parties. If some rogue employee is found lifting data, then it may be mutually agreeable for that person to leave the company. That way the company doesn't have to deal with admitting to their customers that there was (and still is) a risk to their digital assists, and the employee has an improved chance of finding another job or maybe even avoiding a criminal prosecution.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    united hackers association, Jan 20th, 2010 @ 6:01am

    GOVT SPONSORED vs me the hacker

    iv about had it with the media lies and bullshit
    ive about had it with misleading stories painting real hackers as the bad guys when its these fucktard politicians and there lil spy agencies doing all the bad shit on earth

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Janice Taylor Gaines, Jan 20th, 2010 @ 8:06am

    Most Orgs and Individuals Enjoy "Security" as a Matter or Luck

    I'd be curious to know if anyone else here is reading “I.T. WARS”? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors – as well as system failures. Even when considering hacking; it can only happen due to poor systems and security design, or poor practice within the org. The book has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google “IT WARS” – check out a couple links down and read the interview with the author David Scott. (Full title is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium”).

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This