SEATTLE–A new study reveals that 90% of data breaches that occurred in the first half of 2014 could have easily been prevented.
That finding is from the Online Trust Alliance (OTA), a non-profit with the mission “to enhance online trust,” which Monday released its 2015 Data Protection Best Practices and Risk Assessment Guides.
OTA analyzed more than 1,000 breaches involving the loss of personally identifiable information in 2014 and found that only 40% were the result of external intrusions, while 29% were caused by employees—accidentally or maliciously—due to a lack of internal controls. The balance of incidents were primarily attributed to lost or stolen devices or documents (18%) and social engineering/fraud (11%).
“Businesses are overwhelmed with the increasing risks and threats, yet all too often fail to adopt security basics,” said Craig Spiezle, OTA executive director and president. “Releasing the Guides and best practices in advance of Data Privacy and Protection Day will provide businesses with actionable advice. When combined with other controls, these can help prevent, detect, contain and remediate data breaches.”
OTA identified the top 12 most critical security practices that all companies should follow, some of which it stated could have helped prevent and contain the massive Target and Home depot data breaches. Those best practices include:
Enforce effective password management policies, which include multi-factor authentication, require users to have a unique password for external vendor systems and refrain from reusing the same password for internal system and personal website logins.
Least privilege user access—a core security strategy component, and all accounts should run with as few privileges and access levels as possible.
Harden client devices by deploying multilayered firewall protections using up-to-date anti-virus software, disabling by default locally shared folders and removing default accounts.
Conduct regular penetration tests and vulnerability scans of the company’s infrastructure in order to identify and mitigate vulnerabilities and thwart potential attack vectors.
Require e-mail authentication on all inbound and outbound mail streams to help detect malicious and deceptive e-mails including spear phishing and spoofed e-mail.
Implement a mobile device management program, requiring authentication to unlock a device, locking out a device after five failed attempts, using encrypted data communications/storage, and enabling the remote wiping of devices if a mobile device is lost or stolen.
Related