According to “Data Breach Report” issued by Verizon Business in 2008, mostbreaches resulted from a combination of events rather than a single action.Some form of error often directly or indirectly contributed to a compromise.In terms of deliberate action against information systems, hacking proved tobe the attack method of choice among cybercriminals. Although thesebreaches were perpetrated from outside but were facilitated by errors insidethe company’s management. This clearly indicates that most securitybreaches were crimes of opportunity, in which a door was left open andattackers simply walked in and did the damage.
"It’s not about clever or complex security protection measures,"
says Peter Tippett, Vice President of research and intelligence for Verizon BusinessSecurity Solutions.
"It really boils down to doing the basics, from planning toimplementation to monitoring of the data."
The most common errors identified in the study were errors of omission,which account for 79 percent of the mistakes identified. This often involvedstandard security procedures or configurations which were believed to havebeen implemented, but in actuality were not, posing a threat to thecompany’s stability. The breaches can be attributed to a number of causes.Verizon had a system running that was operating without the organization'sknowledge; a system that had unknown access or network connections; or asystem that had unknown accounts or user privileges. To alleviate these internal problems which often lead to external attacks,Verizon should work on some common-sense strategies, including frequentchecks to ensure that policies are carried out, securing business partnerconnections, and creating a data maintenance plan. They should ensure thatbasic and essential security controls are met across the entire organizationconsistently, and that these controls are actually implemented as well. If basic security controls had been in place at the time of attack, nearly allbreaches would likely have been prevented.