More than 90% of data breaches occurring in the first half of 2014 could have been prevented, according to a report from the Online Trust Alliance (OTA).
In its 2015 Data Protection Best Practices and Risk Assessment Guidelines, the OTA analyzed more than a thousand personally identifiable information breaches reported by the Open Security Foundation and the Privacy Rights Clearinghouse. The OTA report found that only 40% of breaches occurred due to external intrusions, while employees caused 29% of breaches, whether accidentally or maliciously. That 29% was broken down to 18% of breaches being attributed to lost or stolen devices and documents, and 11% due to fraud.
(Related: 2014’s worst passwords)
In addition to identifying the sources of 2014 data breaches, the OTA laid out 12 data protection best practices to avert preventable security breaches in the future:
- Enforce effective password-management policies: Use multi-factor authentication, unique passwords, login abuse detection systems and other preventative measures to stem attacks against user credentials, including brute-force, sniffing, host-based access, and theft of password databases.
- Least-privileged user access (LUA): All accounts should run with as few privileges and access levels as possible to protect against malicious behavior and system faults, as well as minimize damages from exposed passwords or rogue employees.
- Harden client devices by deploying multilayered firewall protections: Use client and WAN-based hardware firewalls, up-to-date anti-virus software, removing default accounts, automatic patch management for operating systems and applications, etc.
- Conduct regular penetration tests and vulnerability scans: Regularly scan cloud providers and look for potential vulnerability points for risks of data loss or theft.
- Require e-mail authentication on all inbound and outbound mail streams to help detect malicious and deceptive e-mails, including spear phishing and spoofed e-mails.
- Implement a mobile device-management program: Require authentication to unlock a device, locking out a device after five failed attempts, using encrypted data communications/storage, and enabling the remote wiping of devices if a mobile device is lost or stolen.
- Continuously monitor in real time the security of your organization’s infrastructure: Collect and analyze all network traffic in real time, analyze centralized logs and review network statistics.
- Deploy Web application firewalls to detect/prevent common web attacks: Review the Top 10 list of Web application security risks identified by the Open Web Application Security Project.
- Permit only authorized wireless devices to connect to your network: Keep all guest network access on separate servers and devices with strong encryption, such as WPA2 with AES encryption or IPSec VPNs.
- Implement Always On Secure Sockets Layer (AOSSL): AOSSL helps prevent sniffing data from being transmitted between client devices, wireless access points and intermediaries.
- Review server certificates for vulnerabilities that could lead to hijacks: Sites are recommended to upgrade from DV certificates to Organizationally Validated or Extended Validation SSL certificates.
- Develop, test and continually refine a data breach response plan: Regularly review and improve the plan based on changes in the organization’s information technology, data collection and security posture. Take the time after an incident to conduct a post-mortem and make improvements to your plan. Conduct regular tabletop exercises testing your plan and personnel.
More information is available in the OTA’s 2015 Data Protection Best Practices and Risk Assessment Guidelines.