The overwhelming majority of high-profile US data breaches could have been prevented by sticking to a dozen security practices, according to the Online Trust Alliance (OTA) which has outlined the most critical in a new report.
The 1,000 breach incidents from the first half of 2014 used in the analysis were drawn from a mixture of sources, including media disclosure, those mentioned by the Privacy Rights Clearinghouse and breaches recorded in the Open Security Foundation’s dbloss.org.
Contrary to perception, only around 40 percent were the result of external compromise, with the rest caused either accidentally or deliberately by employees (29 percent), lost or stolen devices (18 percent), and social engineering fraud (11 percent).
Although breaches have come to be seen as almost unavoidable in some quarters, the OTA’s recommendations suggest making password management a priority, closely followed by adopting a least-privilege network design, better securing vulnerable endpoints, and conducting regular penetration tests.
Other recommendations rounding out the top dozen include to require email authentication for outbound as well as inbound mail, using mobile device management, centralised logging and monitoring, the use of web application firewalls, locking down Wi-Fi connectivity, implementing Always On Secure Sockets Layer (AOSSL), and a constant review of server certificates.
This is a long list. Most firms will employ some of these controls but few adopt all of them, especially the password management and least privilege. Endpoints and user accounts often have too much power and reach as Sony Pictures recently found to its cost when a single admin account was used to jump around its network with disastrous consequences.
“Businesses are overwhelmed with the increasing risks and threats, yet all too often fail to adopt security basics,” said OTA executive director, Craig Spiezle.
The organisations has puts its recommendations into a best practices overview and separate risk assessment guide that also covers the tricky matter of third-parties.
That is one twist to the story – just because an organisation adopts the principles outlined by the OTA doesn’t mean all its partners will too.
“Releasing the Guides and best practices in advance of Data Privacy Day will provide businesses with actionable advice. When combined with other controls, these can help prevent, detect, contain and remediate data breaches,” said Spiezle.
In August, the OTA found that 10 percent of US online brands were still breaching the provisions of the CAN-SPAM laws over a decade after they came into effect.
The organisation plans to address breach incidents including Home Depot and Sony Pictures in a series of forthcoming ‘town hall’ meetings in New York, Silicon Valley and Washington DC.