Hacking Surpassing Human Error For Data Breaches?
from the is-that-good-or-bad? dept
A couple years ago, we noted that the old claim that “insiders” were the biggest data breach threat was no longer true, as other threats were becoming a much bigger deal. While that study seemed to use very different methodology, a new study is out that agrees that insiders are a much smaller threat, but notes that outside hacking surpassed “human error” as the cause of data breaches in 2009. While it’s good that human error issues are decreasing as a percentage, is it worrisome that outside hack attacks are now becoming such a major problem? The good news in the data is that there were supposedly fewer reported attacks in 2009 (by a pretty large amount) compared to 2008 — so one possible reading of the data is that people have been effective in preventing things like human error breaches much more often, which is what allowed outside hack attacks to take the lead on a percentage basis. However, with recent stories of things like China’s hack attack on Google it seems like we’ll be hearing more and more stories about these sorts of attacks for one important reason: in many (certainly not all) cases, they can be quite effective.
Filed Under: data breaches, hacking, human error, insiders
Comments on “Hacking Surpassing Human Error For Data Breaches?”
Straw man?
“Insiders” != “human error”, and it’s pretty disingenuous to act as though those are equivalent. Take the TJX data breach, for example — insider info could have been used, and that’s no “human error”.
Retail stores know very well that their own employees are the greatest security risk for shoplifting or malfeasance, and a survey last year apparently indicated that a fair number of IT pros will grab confidential data on the way out of the company, even if they don’t use it. Didn’t anybody here read Halting State?
Re: Straw man?
“Insiders” != “human error”, and it’s pretty disingenuous to act as though those are equivalent.
Sorry, I wasn’t saying they were the same. I was just comparing the results from two different studies.
Re: Straw man?
“Retail stores know very well that their own employees are the greatest security risk for shoplifting or malfeasance”
Interesting, because they act like their customers are thieves and use that as an excuse to spy upon them as they try on clothes in the “privacy” of those little rooms.
Re: Straw man?
“Take the TJX data breach, for example — insider info could have been used, and that’s no “human error”.”
What are you saying?
The root cause of the TJX breach was not due to human error?
That’s laughable.
Re: Re: Straw man?
Only if you consider a catastrophic failure to implement and follow known (and incessantly repeated by data security folks) best practices a human error. And I mean that’s crazy talk. Or maybe if you consider a tight focus on passing a security systems audit that you know about in advance and that only happens once a year–while ignoring it the rest of the year–to be a human error. Most likely, though, it’s just a stunning coincidence that the data crime attacks become more sophisticated as the defenses fall out of use. Right?
you know, I’m always wary of claims that ‘reports of X have reduced’ is a good thing. while it can represent that the issues have reduced, and thus the problem is being solved, it can also very often mean that the people who would report things have so lost faith in the system that they no longer see it as worth the effort (that’s happened here with a lot of lesser crimes. people just don’t bother reporting them much.) alternatively, for many businesses it’s in their interest to appear more secure than they acutally are, so they may simply under report such.
of course, there’s no Other way to know how much of such a thing is happening, i suppose, but the automatic assumption that less reports = less issues isn’t always the right one.
‘course, this may be simple paranoia speaking. hehe.
Insider Attacks
Keep in mind that insider attacks are often quietly dealt with to avoid embarrassment to all parties. If some rogue employee is found lifting data, then it may be mutually agreeable for that person to leave the company. That way the company doesn’t have to deal with admitting to their customers that there was (and still is) a risk to their digital assists, and the employee has an improved chance of finding another job or maybe even avoiding a criminal prosecution.
GOVT SPONSORED vs me the hacker
iv about had it with the media lies and bullshit
ive about had it with misleading stories painting real hackers as the bad guys when its these fucktard politicians and there lil spy agencies doing all the bad shit on earth
Most Orgs and Individuals Enjoy "Security" as a Matter or Luck
I’d be curious to know if anyone else here is reading “I.T. WARS”? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors – as well as system failures. Even when considering hacking; it can only happen due to poor systems and security design, or poor practice within the org. The book has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google “IT WARS” – check out a couple links down and read the interview with the author David Scott. (Full title is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium”).