A Need For A Change – or – Burning Your Money

Mick Douglas //

Take look at this chart from last year’s Verizon Data Breach Report.  It shows who notified the breached party when they were attacked.

This graph is a sad indictment for all of us in the information protection industry.  This chart means that only about 1 in 8 times there’s a breach it’s found out by an internal party.  Of course this means that 7 times of those 8 it’s discovered by someone external to your organization.  That has got to hurt.  If you doubt me, just ask the PR firm or department of any breached organization.

There’s two ways you can look at this chart.  First you can despair that all the spending on IT security has largely been… what? Wasted?  We’ll not go that far.  Misallocated might be a better way of thinking about how your funds were spent.  Secondly, we can’t help but see that there’s so much room for improvement that virtually anything we change could make a big impact.

In light of such a lopsided graph, it’s plain to see our internal detective controls need a quick boost.  While many are tempted to take the traditional approach to situations such as this; namely spending on new tools until the problem appears to go away.  We at BHIS would suggest a different course of action.  Start making things harder for the bad guys by taking a more active defensive posture.  We’ll be listing some ways to make your defenses be more resilient, durable, cost effective, and above all — active over the next few postings here, so stay tuned.

Before we finish this post, one thing to note:  the internal IT Audit Department lead the pack for finding the breaches.  That’s great!  Good job auditors! (Seriously, when was the last time you thanked your auditor?)  Let’s make this into a friendly competition and have the IT Operations and Security Teams lead the findings next year!

We’re certainly looking forward to the Verizon Data Breach Report for this coming year.  Who knows what it’ll contain?  Although given how rough “The Year of the Breach” was, the only sure bet is that it will have eye popping charts.