Every year, the highly respected Verizon Business RISK data crime–investigation team publishes an analysis of major online data thefts it’s been asked to study.

This year, a first-ever joint report by VBR and the U.S. Secret Service presents a fascinating view into the state of the data-stealing art, with many surprising facts that should interest all consumers.

Throughout 2009, according to the 2010 Data Breach Investigation Report (PDF), Verizon investigated 57 “confirmed breaches” that included data theft. The Secret Service investigated 84 similar cases. That’s 141 verified cases covering a total of 143 million data records owned by organizations around the world. Verizon’s efforts led to arrests in 15% of its cases; the Secret Service’s rate was a more-impressive 66%.

As you might imagine, many of the victimized companies don’t want their identities to be known. The report states, “… about two-thirds of the breaches covered herein have either not yet been disclosed or never will be.” Nevertheless, this aggregate report is still important: it gives an excellent overview of security problems that could affect you, the consumer.

Who’s stealing sensitive data? Surprise!

I always assumed that most people involved in stealing sensitive data from organizations — bank records, credit-card numbers, personal information — were rogues acting alone, selling their booty via clandestine channels to the highest bidder.

Wrong!

An astonishing 85% of all stolen data records can, according to this report, be traced to organized crime. “Banding together allows criminal groups to pool resources, specialize skills, and distribute the work effort.” Lone wolves aren’t stealing our data. Rather, it’s groups of people, acting in concert with one simple motive: profit.

The report quashed many of my other preconceived notions. For example, insiders (employees, executives, programmers) were actively involved in 48% of the cases — which doesn’t surprise me — but they were implicated in only 3% of the total number of records stolen. Insiders participate in smaller jobs.

I was also surprised to find that the percentage of pilfering attributable to business partners — a category that includes IT service providers, suppliers, and vendors — has fallen steadily. The report can’t pinpoint the reason for the decline in partners’ shenanigans, but does point to the possibility that increased awareness of third-party security threats may be a factor.

It also mentions organizations such as hotel, restaurant, and retail companies that hire outsiders to provide IT services: “Organizations that outsource their IT management and support also outsource a great deal of trust to these partners.” If your company’s thinking about outsourcing, that’s a word to the wise.

And, contrary to widespread publicity, no foreign governments were implicated in data thefts, according to this report.

How the bad guys get your personal information

While headlines herald stories about a bank employee losing a notebook with a gazillion account records or a civil servant dropping a disc with Social Security numbers, the report notes that 98% of the stolen data was snatched directly from company servers — mostly by use of malware and direct hacking.

Once again, the Verizon/Secret Service numbers surprised me. More than half of the malware infections came from direct installation (injection) by the attacker, and SQL databases led the list of subverted systems. SQL injections frequently rely on well-known quirks in SQL systems; craftily assembled SQL database queries, for example, can install programs that pluck data and send it to the requester.

Perhaps the best-known SQL-injection attack involved American Albert Gonzalez, who on March 25 was sentenced to 20 years in federal prison for stealing more than 90 million credit- and debit-card numbers. (See Wired’s March 25 Threat Level post.) As the Verizon report says, “SQL infection vulnerabilities are endemic, and to fix them you have to overhaul all your code.”

The second-most-popular method for subverting servers uses drive-by Web infections (where you get an infection without actually clicking anything on a malicious site), followed by infections that require user interaction (”click here to clean your system” come-ons, for example).

Added together, injections and Web infections using malware accounted for 79% of all stolen data — not e-mail, not infected documents, and not zero-day attacks.

Keyloggers — those surreptitiously installed programs that record what you type — made up 36% of all the data breaches but accounted for only 1% of the clandestinely collected data. That’s a big change from last year, when keyloggers collected more than 80% of the compromised data. The bad guys have found more efficient ways to take your information.

And what of the never-ending process of receiving and applying security patches to quickly shore up those security vulnerabilities? Not an issue, says the report. “It is very interesting to note that there were no confirmed cases in which malware exploited a system or software vulnerability in 2009 … there wasn’t a single confirmed intrusion that exploited a patchable vulnerability.”

What companies must do to protect our data

If this is all starting to sound hopeless, it isn’t. The authors of the report offer many suggestions that every company with sensitive data should consider. Most of it doesn’t stray too far from common sense: give access to sensitive information only to employees who need it, watch your access logs, encourage strong passwords, warn employees about installing rogue antivirus programs, and so on.

Even if you aren’t involved with an organization that handles sensitive data, you need to know that the kinds of attacks documented by Verizon are getting larger and more complex.

You can help by regularly checking all of your online information that you can access, reporting any data or activity you see that’s out of the ordinary. Immediately tell your bank, your credit card company, and your stock broker if you think something’s gone awry.

As the report says, “Third-party fraud detection is still the most common way breach victims come to know of their predicament” — in other words, companies learn of breaches when customers report them.

So if you think your data’s been stolen, holler yer head off!

“Why We Did It:”    IP Phone System Cuts Costs
“We’re now saving over $500 every month because of our IP phone system, and within 2 years we’ll be saving over $1000 a month,” says Jason Templeton, a licensed practical nurse and the office manager for a two-physician medical practice.
“We got an IP phone system because when the economy tightened, we had to reduce our overhead,” he says.
He produced the cost savings by converting the business’s hosted PBX phone system to an on-site Cisco IP Phone system that uses a broadband cable service to connect voice traffic to the telephone network.
A Business Network? Now’s the Time
The new IP phone system—the Cisco Smart Business Communications System (SBCS) —does more for the 18-employee business than conserve cash.
“The system has a built-in high-tech network firewall so now our data is protected,” Templeton says. “And it has definitely improved our office’s workflow, making everyone more efficient.”
Prior to the Cisco system, the office had no business network; it had just a few PCs running the practice’s management and billing software.
Templeton’s communications innovation began in 2008, when he was enticed by a price promotion from the local cable company. “They offered Internet and TV service, and eight digital phone lines, for $386 a month. That’s about one fourth of what we were paying for the hosted service,” he says. To take advantage of the deal, he began shopping for an IP phone system (an Internet-based system).
“I met with several vendors, and one of them was Craig Ray,” he says. Craig is the owner at ProTech Networks, a Cisco Select Certified Partner (a reseller that specializes in serving small businesses). Its clients have operations across the U.S..
“We brought in a Cisco SBCS to demo,” Craig says. “Jason and the staff got to hold the phones in their hands, to experience their quality. They saw for themselves how easy the system is to use, and how powerful it is.
“All in one box, it gives most small businesses everything they need.”
“I had told Craig we required a simple system that would be a long-term investment, not anything we’d be replacing anytime soon,” says Templeton. “We needed an auto-attendant and voicemail that’s easy to use. And it had to be reliable and come with responsive service.
“We got everything we asked for.”
Lower Cost, Better Technology and Service
The office’s Cisco SBCS solution includes a unified communications platform for 24 users, a switch, and 20 flagship Cisco IP Phones.
The office pays less than $600 a month to lease the solution from Cisco Capital and have ProTech Networks remotely manage it; the office will own the solution after 36 payments.
“The boss is very happy,” says Jason. “We’re saving money every month. Plus, we get more advanced technology, and better service.
“ProTech Networks responds immediately remotely, or comes onsite in just a few hours. Our old telecom vendor took 24 or 48 hours, if we were lucky.”
Simple Means More Productive
“The phone features are easy for all of us to use—no one has any complaints. We are a very busy practice, and the phones make us much more efficient.
“The time savings we get from this system have improved our level of care, and our ability to serve new patients,” he says. “We’re now seeing about 100 patients a day.”
Templeton says specific improvements include the following:
• Now every call is picked up within three rings, by staff or the auto-attendant.
• When patients or pharmacists call with an inquiry, they no longer wait on hold, and staff is not interrupted. The auto-attendant routes the call, and staff can respond in a timely way.
• With their own voicemail boxes, the medical professionals no longer work from cryptic written phone messages. “The accuracy is much higher, so we do our jobs better and faster,” he says.
“Our productivity and patient care are up, and our overhead costs are down. We are conserving cash. This was an excellent investment for us,” says Jason.

Do you have Gigabytes of information stored on your server that you’ll never use, but feel like you should keep? You are not alone. Given expanding regulatory rules and the key role that electronic records now play in law suits, some businesses go so far as to save every bit of data they have.. In fact, reports that the total amount of disk storage shipped last year grew 42.5 percent from 2008, proving that many businesses are opting to save much more of their information, rather than deleting it.

 
You may be thinking, “So why should I worry about our data storage?” or “What’s the big deal in keeping everything?” While it is true that even offsite data storage costs have gone down by about 20% this year, the simple fact is that keeping your data forever can create long-term management challenges and lead to headaches when something needs to be found. Most often companies that save everything don’t do so because they think it’s the best way, but because they aren’t sure what needs to be saved or deleted.
 
Certainly every organization needs to save information for its own purposes, such as transactions, accounting records, analytical data, and so on.  Not only that, but regulations such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA) require enterprises to save certain kinds of content for a prescribed period.  You may not be hit by these acts, but rest assured more regulations are in the works.
 
Data retention is a balancing act.  Keep too much and not only will the cost of eDiscovery in a law suit (even a frivolous one) be astronomical, but you also increase the risk of damaging findings being discovered.  On the other hand, delete data without a specific and rigorously enforced retention policy and you’re not likely to receive the benefit of the doubt with the courts as to why requested information is not available.
 
What should be done? 

To address the problem, here are 4 data retention strategies you must consider:
 
1.)    Start with the storage analysis, not the storage technology or procedures.  Know what data has to be kept and for how long.  Many times requirements are dictated by industry or legal requirements.  There are software tools to help you in analyzing what information is stored on your servers and how it’s used.

2.)     Segment user populations.  Use categories such as executives, back-office employees, sales, and people who deal with the company’s intellectual property and treat their data differently.  You certainly don’t need to keep back office transactional data as long as executive strategic communications.
3.)    Be precise and consistent with data retention policies.  Carefully crafted and enforced policies will more often than not be deemed legally defensible causing less legal exposure and dramatically lowering the cost of eDiscovery.
4.)    Don’t confuse back-up with archiving.  Since backup systems don’t generally have the granular control needed to save some types of information for a short time and others for longer, using them as archival systems can be costly and risky.  For example, if a certain business record needs to be saved for seven years, the wrong place to save it is on a backup tape with 65,000 other files.
                                  
Avoid the expense and hassle of having too much data by having and enforcing strong policies and using proper tools to maintain independent data archives.  We can assist you in identifying best practices and cost effective software tools for your business.  Contact ProTech Networks and let us help you with your precious data.