The Verizon Business RISK Team released a very interesting study early in June. The study contained detailed statistical results and analysis from more than 500 forensic investigations it conducted over a four-year period (2004 to 2007), and claims to represent one-fourth of all publicly disclosed data breaches in that time frame. The RISK Team identified multiple methods to categorize types of data breaches and began classifying their forensic investigations using these categories.
The report is chock full of statistics and percentages, and some of the latter are confusing due to the fact that they often add up to far more than 100%, although the report does explain that this is due to a single breach being able to fall into multiple categories. Still, the results are an interesting read for the risk-management crowd. I encourage all of our readers interested in IT risk-management to review the document at http://www.verizonbusiness.com/resources/security/databreachreport.pdf.
The results of the study do revisit the age-old question of IT risk-management: where does the largest threat source reside? Is it inside the network, or outside the network? To put yet another twist on this oft-asked question, the study additionally adds a third threat source?"partners"?that is a blend of the other two. Partners are defined as "any third party sharing a business relationship with the organization", also known as the "extended enterprise." There is no simple answer to the question posed above. The study shows that the answer depends on your environment, your organization, and the value of your data to each of the three parties.
Even if there is no simple answer, the RISK Team does provide interesting answers to the question. First, however, the question must be further qualified by specifying whether raw number of breaches or records lost in breaches is your preferred measurement. The resulting answer is very different between the two measurements. In terms of raw numbers, the external threat is far and away the largest source, figuring in more than four times as many data breaches as the insider. Even business partners are more than twice as often involved in a breach as a true insider. If, instead, the amount of records lost or compromised is your base measurement, the insider accounts for more than 10 times as many as an external source, and more than twice that of partners. So the answer is insiders, case closed, right? Not, quite...
The study presents what might be an even better answer to the question of who is the largest threat source: Business Partners. It calculates this answer based on the IT risk equation where risk is defined as likelihood multiplied by impact (R = L x I). If impact is taken as the number of records compromised, and likelihood is taken as the number of compromises conducted by each of the three defined sources (internal, external, and business partner), then business partners represent the largest threat source to the enterprise. Insiders are admittedly close, but still less of a risk than partners.
It's not surprising that there is a growing trend in third party audits. As companies continue to address their own vulnerabilities, they inevitable identify a key partner that, if compromised, would have negative repercussions on their own business. I challenge you to take a critical look at your partners. Are you making assumptions about their internal security procedures? Is it your place to inquire? If a partner provides a critical service to an organizational, it is absolutely within your right to question their internal security procedures. "We take security seriously," will more than likely be the answer you will receive; who would admit otherwise? Whether this is good enough for you is a question you must answer. My response would be to show me proof.