1. /
  2. Confident Insights Newsletter/
  3. Anatomy of a Data Breach

Anatomy of a Data Breach

October 23, 2009


For companies with critical information assets such as customer data, intellectual property, and trade secrets, the risk of a data breach is now higher than ever before. Here are four steps to take to significantly reduce the risk of a breach.
What a difference a few years can make.
Data breaches, once considered the handiwork of a ragtag cadre of hackers, now pose more of a threat than ever before. According to one estimate, more electronic records were breached in 2008 than in the previous four years combined (Verizon Business Risk Team, 2009 Data Breach Investigation Report).
Why the sudden surge? Third-party research into the root causes of data breaches, including data supplied by the Symantec Global Intelligence Network, identifies three main types: well-meaning insiders, targeted attacks by organized criminals, and malicious insiders.
This article takes a close look at the primary causes of data breaches and then shows how organizations can significantly reduce the risk of a breach by protecting their infrastructure, developing and enforcing IT policies, protecting information proactively, and managing their systems.

The well-meaning insider

It’s hardly news that the amount of data generated by organizations today is growing exponentially. It shouldn’t be surprising, then, that the amount of sensitive data that winds up on unprotected laptops, desktops, and servers is growing too.
The fact is, company employees who inadvertently violate data security policies now play a major role in data breaches. According to a recent Ponemon Institute survey of companies that have experienced a data breach, 88% of the cases involved incidents resulting from negligence (Cost of a Data Breach, Ponemon Institute, February 2009).
So who, exactly, is a “well-meaning insider”? It’s the employee who has legitimate access to the network but who unwittingly exposes your company to risk by failing to observe data security policies. It’s the employee who leaves an unencrypted USB drive with sensitive data in a cab or who loses a laptop. It’s the contractor who emails sensitive data to herself using her Gmail or Hotmail account so she can work on it at home. It’s the business partner who accidently emails sensitive information to the wrong person because of the auto-fill in Outlook. The list goes on and on.
According to Symantec research, the most common type of data breach occurs when confidential data has been stored, sent, or copied unencrypted by insiders and which, in turn, has been captured by hackers.

Targeted attacks by organized criminals

How pervasive is the threat posed by cyber-criminals? If the latest Symantec Internet Security Threat Report is any indication, the threat has never been greater.
According to Volume XIV of the report, issued in April, attackers released Trojan horses, viruses, and worms at a record pace in 2008, primarily aimed at stealing information for the purpose of identity theft. Specifically, Symantec documented a staggering 1.6 million instances of malicious code on the Web in 2008. That compares with 624,267 instances in 2007.
Vincent Weafer, Symantec’s vice president of security content and intelligence, put these numbers in perspective in an interview with Reuters.
“Sixty percent of all the [malicious code] threats in the past 20 years came in the last 12 months alone,” Weafer said.
Weafer added that this explosive growth can be attributed to the increasing professionalism of malicious code development.
Consider the case of Albert Gonzalez, the 28-year-old Miami man who was indicted in the 2005 data breach at T.J. Maxx stores. In August 2009, Federal prosecutors charged Gonzalez and two unnamed Russian conspirators with breaking into the computer networks of several major financial institutions and retailers around the country and stealing data from more than 130 million credit and debit cards.
Prosecutors called it the largest case of computer crime and identity theft ever prosecuted.
“The scope is massive,’’ said Assistant U.S. Attorney Erez Liebermann at the time. “This guy worked very, very hard at something he was very good at.’’
The targets in this case included the New England supermarket chain Hannaford Brothers Co., the 7-Eleven Inc. chain, and Heartland Payment Systems, a company that processes credit card payments for thousands of stores and businesses across the country.
A prime example of the type of underground professional organization flourishing today is the Russian Business Network. The RBN reputedly specializes in the distribution of malicious code, hosting malicious websites, and other malicious activity. The RBN has been credited with creating approximately half of the phishing incidents that occurred worldwide in recent years.
According to researchers at the Symantec Global Intelligence Network, many of today’s cyber-criminals have connections to government agencies and are very well funded.

Malicious insiders

Given the state of the economy, it’s no surprise that malicious insiders are responsible for an increasing number of data breaches. Employees who in other circumstances would be reliable and critical personnel find themselves contemplating illegal actions, such as stealing confidential information.
With increasing layoffs, administrators are responsible for restricting access privileges for all terminated employees immediately. When larger companies are cutting hundreds or thousands of employees across various departments, administrators face a heavy burden.
How extensive is the problem of the malicious insider? Earlier this year, Symantec and the Ponemon Institute announced the results of a joint survey of employees who lost or left a job in 2008. The results revealed that 59% of ex-employees admitted to stealing confidential company information, such as customer contact lists. The results also showed that if respondents’ companies had implemented better data loss prevention policies and technologies, many of those instances of data theft could have been prevented.
The bottom line: The malicious insider drives many of today’s data breaches.

What it all means

So given that the risk of a data breach is now higher than ever before, does that mean that breaches are inevitable, simply the cost of doing business in an information age? Not at all. Symantec believes breaches are preventable. However, the only strategies with a chance of success must be both risk-based and content-aware. Also, preventing data breaches requires multiple solutions working in concert to solve the problem.
Here are four steps any organization can take to significantly reduce the risk of a data breach:
  • Step 1: Protect the infrastructure. Today you need visibility into your systems so that you can manage them properly and ultimately protect them against emerging threats. That means securing all endpoints, protecting email, defending critical internal servers, and backing up and recovering data securely. Symantec Protection Suite creates a protected endpoint, messaging, and Web environment that is secure against today’s complex malware, data loss, and spam threats, and is quickly recoverable in the event of failure.
  • Step 2: Develop and enforce IT policies. By prioritizing risks and defining policies that span across every location, organizations can enforce policies through built-in automation and workflow. This allows you not only to identify threats but to remediate incidents as they occur or to anticipate them before they even happen. Symantec Control Compliance Suite is a group of integrated products that help to reduce the cost of managing compliance through process automation. CCS provides a comprehensive view of risk and compliance posture through a combination of point-in-time controls assessment and real-time monitoring of risks and threats.
  • Step 3: Protect information proactively. To protect information proactively is to take an information-centric approach to protecting both information and interactions. It’s not enough to know where information resides—you need to know how it moves and who has access to it. Taking a content-aware approach to protecting information is key in knowing where your sensitive information resides, who has access to it, and how it’s coming into or leaving your company. Symantec Data Loss Prevention enables companies to discover, monitor, and protect confidential data wherever it’s stored or used. By measurably reducing risk, it gives organizations confidence to demonstrate compliance while protecting their customers, brand, and intellectual property.
  • Step 4: Manage systems. Security needs to make your life easier through standardization, workflow, and automation—simple things that you can put in place to make security software do the heavy-lifting, everything from patch management to regulatory audits. Security is managed more efficiently with standardization and automation. The Altiris Total Management Suite from Symantec is a comprehensive suite of IT lifecycle automation solutions designed to help IT organizations manage, secure, and support all IT assets, promoting effective service delivery.


The growth in data breaches should surprise no one. In a world where data is everywhere, it is harder than ever for organizations to protect their confidential information. That’s why it is essential to create an effective prevention and response plan. By following the preceding four steps, organizations can use proven solutions to significantly reduce the risk of a data breach.
For more information, be sure to attend the Symantec Webcast, “Why Breaches Happen … And What to Do About It.”

Related Links

Back to Newsletter