4 More Data Breach Insights to Help Secure Your Enterprise Business

We had a huge response to last week’s “5 Enterprise Data Breach Questions Deciphered” and received a few more questions from our faithful readers. I asked Marc Spitler, senior consultant, network and information security, Verizon to get more insights into the mobile device threat level, estimating the cost of a data breach and why enterprises must patch their legacy systems today.

Marc Spitler, Senior Consultant, Network and Information Security, Verizon

Marc Spitler: Good question and one that we are interested in as well. We do not know the root cause of the lack of patching/updating of the devices in this study. If you see results from vulnerability scanning exercises that are surprising to you, investigate them and determine why a particular weakness still exists on a device. Ask those types of questions to try to improve on existing patch management processes, instead of merely fixing the problem and moving on. It also may be that the risk was mitigated via other controls and while the vulnerability signatures still trigger a ‘hit’ there is no action required.

That being said, organizations should focus on patching legacy devices in parallel with new vulnerabilities as they are revealed. The report shows that when 2014 vulnerabilities were exploited, they were done within two weeks.

The DBIR states that mobile devices aren’t currently a huge target for malicious code? Could you elaborate?

Marc Spitler: We are very confident and stand behind the data that malicious code only affected .03% of Android devices per week in 2014. That number represented the percentage of devices infected with malware that was not merely pop-up advertisements that accompany many free apps. We stripped out the annoying but non-malicious adware from the data.

We have a unique opportunity to get ahead of the adversary by establishing processes, procedures and underlying controls in advance of the mobile device threat rate increasing (which we believe will in the future).

Why did you use insurance payouts to estimate the impact of a data breach?

Marc Spitler: Insurance payouts will either be 100% or some proportion less than that if the limit on the policy is reached.  We did look at the data for evidence of “ceilings” (claims hitting an upper limit) but didn’t notice any consistent trend (that doesn’t mean it isn’t there).  And the distribution of loss didn’t exhibit any signs of artificial skew that would be caused by consistently hitting policy limits.

Our research shows that there is a better way to estimate impact than a simple cost-per-record model. We clearly disclose that this is not a perfect model, but is a step in the right direction and will become stronger if we can continue to collect impact data. Better data on “soft losses” and deeper research into tangible losses (like the insurance payouts) would improve the precision. The bottom line is that with all the limitations of data and imperfections in our model (and there is no perfect model) we have shown that impact is influenced by the number of records lost — the relationship is not linear.

What are the best practices businesses and enterprise organizations must follow to keep their data secure?

Marc Spitler: There is no magic top 10 list. In the DBIR, we review the most common incident classification patterns for your industry. Each of the patterns has a “How can I learn more” section that provides areas of research that businesses can review to better identify the right security initiatives for them. Included are some general recommendations as well. One of the main recommendations from the DBIR series is to collect your own incident data, so you can establish where your weaknesses lie, where improvements have been made, or if improvements are realized after implementation of a security control.

Visit Verizon’s Security Products and Services portfolio to learn more about cybersecurity and how to protect your network and data against cyberthreats.