Video Screencast Help

In Defense of Data

Showing posts in English
linda_park | 01 Jan 2014 | 0 comments
  • Human errors and systems glitches caused nearly two-thirds of data breaches globally in 2012, while malicious or criminal attacks are the most costly everywhere at an average of $157 per compromised record.

2013 Cost of a Data Breach: Global Analysis, Ponemon Institute and Symantec, June 2013

  • Malicious attacks (defined as a combination of hacking and insider theft) accounted for nearly 47 percent of the recorded breaches in 2012 in the United States.  Hacking attacks were responsible for more than one-third (33.8 percent) of the data breaches recorded.

A Chronology of Data Breaches, Privacy Rights Clearinghouse, 2012

  • The median number of identities lost per breach increased by 3.5 times in 2012 – from 2,400 to 8,350 per breach.  (The median serves as a useful measure because it ignores the extremes, the rare events that resulted in large numbers of identities...
Suzanne Konvicka | 16 Sep 2013

I see a lot of studies on data breaches in my role at Symantec. Naturally, the recent voluntary report on data breaches from California’s Attorney General piqued my interest. The report describes the 131 notifications her office saw in 2012 and provides recommendations based on those findings. And while it’s not as detailed as some studies from security vendors, the California report is consistent with trends we see nationally and globally. There are many useful nuggets and valuable insights that businesses can take away from this report, so I encourage you to give it a read. You can see the full report here. But, in the meantime, I’d like to offer up what I found to be the most interesting stats and how they compare to broader national and global data breach trends.

Most breaches are not mega-breaches


RobertHamilton | 08 Aug 2013

Patient care will always be priority No. 1 for healthcare facilities. But these days that care extends beyond merely ensuring physical health to include the need to protect patient health information (PHI). Just as their physical bodies are subject to dangerous infections, the theft or misuse of personal information puts patients at risk in a day where that information in the wrong hands can be hazardous.

The protection of a patient’s right to privacy was a driver in the adoption of the Health Insurance Portability and Accountability Act (HIPAA) and subsequently the Health Information Technology for Economic and Clinical Health (HITECH) Act. Under the associated guidelines and rules, facilities were required to notify patients of these breaches, specifically when a breach occurred that was likely to pose a real risk to the individual. And for years now, compliance with the HIPAA Privacy, Security and Enforcement Rules has been a primary motivating factor in healthcare...

RobertHamilton | 05 Jun 2013

Lately not a day goes by without a major news story on cybercriminals, hacktivists, and spies.  These are generally viewed as the main threat actors behind the data breaches that we spend so much time -- and budget -- fighting. But what about Anne in Accounting, Sam in Sales and Paul in Production? While malicious attacks are certainly a significant problem and make for thrilling headlines, it’s mistakes made by people and systems that actually cause the majority of data breaches.

According to the 2013 Cost of a Data Breach study, negligence and system glitches together accounted for 64 percent of data breaches last year. These can include employees mishandling information, violations of industry and government regulations, inadvertent data dumps, stolen laptops, and wrongful access.

Insiders greatly contribute to data breaches. In fact, in the eight years since Symantec started tracking data breach costs with the Ponemon Institute, the insider threat leading to data...

linda_park | 08 May 2013

Today’s business users are nothing if not productive, but too often they don’t think about if they are working with confidential data or if they are protecting it appropriately. The fact is, employees regularly save patient records to thumb drives, transfer customer data to personal devices, and email unreleased product plans to personal webmail. Although well-intentioned, their actions can expose sensitive business information to unnecessary risk. Add advanced threats by external attackers to the mix plus malicious insiders, who are intent on stealing corporate data for their own gain, and it becomes clear that data loss prevention (DLP) is no longer a nice-to-have, but a need-to-have.

CISOs are turning to DLP solutions to effectively protect valuable intellectual property (IP) and personally identifiable information (PII) and keep their organizations from becoming the next headline.  Symantec recently published a...

Symantec Corp. | 26 Apr 2013

Join Symantec Security Response experts on Twitter (using the #ISTR hashtag) on Tuesday, April 30, at 9 a.m. PT / 12 p.m. ET to chat about the key trends highlighted in Symantec’s recently released Internet Security Threat Report (ISTR), Volume 18.

The ISTR, which covers the major threat trends observed by Symantec in 2012, reveals a significant increase in cyberespionage to gain access to confidential formation and valuable intellectual property, and the criminals methods of obtain this information are shifting. In fact, the largest growth area for targeted attacks in 2012 was businesses with fewer than 250 employees; 31 percent of all attacks targeted them, representing a threefold increase from 2011.

Mark your calendars to join #ISTR chat and plan to discuss the latest attack vectors and techniques used by cybercriminals to gain access to your intellectual property.

Topic: Internet Security Threat Report:...

The Symantec Internet Security Threat Report (ISTR) 2013 reveals how the threat landscape is evolving, compiling information from more than 69 million attack sensors in 157 countries around the world. This year’s report shows more targeted attacks, inceasing focus on smaller businesses, and the continued development of new threats.

Targeted attacks, hacktivism, and data breaches

Targeted attacks saw a 42 percent increase in 2012, to 116 per day on average, with a corresponding increase in data theft and incidents of industrial espionage. Attackers are changing their targets, as well. Small businesses make up a larger percentage of those targeted for attack then in 2011—a threefold increase--with 31 percent of all targeted attacks directed at companies with less than 250 employees. Attackers are finding valuable data to steal from small companies and fewer defenses in place to stop them. Manufacturing is now the most targeted business sector, making up...

RobertHamilton | 03 Apr 2013

I read with great interest The New York Times’ “Room for Debate” that discussed whether companies should disclose when they get hacked. When brands big and small suffer a data breach and lose customer data, they are required to disclose the breach based on various state privacy laws that mandate disclosure when personally identifiable information (PII) is lost. But, when hackers get in the backdoor and make off with other valuable IP, we typically don’t hear about it. Opinions on the matter of disclosure run the gamut. Some think mandatory disclosure of security breaches will telegraph weaknesses while others think disclosing cyber-risks is material and investors should know if a company can keep its crown jewels secret. There’s plenty to debate on this front, but by focusing so much attention on hackers pilfering sensitive corporate data we’re ignoring one of...

ctang | 21 Mar 2013

In today’s global economy, it’s no secret that many organizations rely on third parties for critical business activities. While outsourcing isn’t a new concept, the rise of readily available cloud-based and everything-as-a-service solutions is rapidly increasing an organization’s liability and risk landscape – often with limited IT oversight.

Unfortunately many enterprises relying on third-party vendors often assume that these third parties properly protect their sensitive employee, customer and business data. Sadly, this is not always the case. Consider these data points:

  • Only 24 percent of respondents require third-party suppliers or partners to comply with baseline security procedures. [1]
  • Although 84 percent of senior IT decision makers [were] concerned or very concerned about the risks associated with IT security breaches, 55 percent of CIOs have not tested cloud vendors’ security systems and procedures. [2]

These numbers are shocking...

phlphrrs | 07 Mar 2013

I came across this article not too long ago and it really got me thinking about not only the places where I put my information on the Internet, but the reasons I put my information out there.  Most sites we put our information seem really innocuous and quasi-safe because we don’t think the site is very interesting to anyone but ourselves and a hand full of others with similar interests.  It seems like it almost becomes a “second nature” activity to just blindly assume that Internet sites that don’t ask for your credit card are okay cause well, it’s just my name, and maybe my phone number and/or address.

When it comes to using ecommerce sites we all expect a certain level of security to protect our financial data.  When it comes to non-ecommerce sites, it seems like there’s less thought given about the ramifications of what happens when you provide your personal...