Data Breach Lessons

Earlier this year, the Verizon Enterprise Risk Team released its 2013 Data Breach Investigations Report. This report traditionally provides terrific insight into the frequency and kinds of data breaches that were reported in the previous year. You can obtain a copy at www.verizonenterprise.com/DBIR/2013. The report is fascinating, to be sure, but there are some specific lessons that deserve some special attention:

• Of the 47,000 incidents reported by contributors, only 621 (less than 1.5 percent) had confirmed data disclosures.
• Contrary to popular wisdom, the vast majority of attacks—more than 90 percent—were by outsiders. Only 14 percent of attacks involve “insiders.” In fact, only 1 percent of data breaches was traceable to business partners.
• Less than 1 percent of breaches was attributable to highly sophisticated tactics. Most breaches could have been easily prevented, with almost 80 percent of them being of low or very low sophistication.
• Forty-eight percent of the 47,000 incidents were the result of error—lost devices, publishing mistakes and emails and documents sent to the wrong person.

The top two recommendations issued by the report were: “Eliminate unnecessary data; keep tabs on what’s left” and “Perform regular checks to ensure that essential controls are met.” These are the issues and recommendations that will be driving our customer needs the next several years.

How is PRISM responding to these trends and needs? One of the most important ways is the transformation of PRISM’s Privacy+ program. Starting soon, Privacy+ certified companies will be required to undergo a successful audit of their operations by a third-party auditor, with such audits being completed according to the Statement on Standards for Attestation Engagements (SSAE) 16 standard issued by the American Institute of Certified Public Accountants (AICPA) in the U.S. or the International Standard on Assurance Engagements (ISAE) 3402 standard issued by the International Auditing and Assurance Standards Board (IAASB). To achieve Privacy+ certified status, companies must establish internal controls created to meet a set of objectives designed by PRISM and intended to promote information privacy.

What does this mean? When your customers ask you to what extent you follow the recommendations established by the Verizon report, you can tell them: “Don’t worry—I’ve got it covered. Let me tell you about Privacy+…”

Dave Bergeson is the executive director of PRISM International, Chicago, and can be reached at dbergeson@prismintl.org or at 847-375-4866.