A pair of security surveys released this week shows that protecting corporate and consumer data is sometimes easier than people might think, but the broader problem still is confounding far too many organizations. The first study, entitled "Network Attacks: Analysis of Department of Justice Prosecutions 1999-2006," shows most network attacks tracked by the DOJ used stolen IDs and passwords. Those attacks resulted in far more extensive damages than what had been assumed -- an average of more than $1.5 million per incident, with $10 million being the most damage incurred in one incident. The study, commissioned by Phoenix Technologies and conducted by research and advisory firm Trusted Strategies, analyzed data from all cases prosecuted and publicly disclosed by the DOJ between March 1999 and February 2006.
The report also maintains that a whopping 84 percent of these attacks could have been thwarted if, after checking the user ID and password, the organization had simply verified the identity of the invasive computer connecting to its network and accounts via device authentication policies and solutions.
The failure to implement such technologies can kick the door open to attackers. In 88 percent of the cases in the DOJ report, the attacker accessed one or more privileged user accounts, obtaining IDs and passwords by network sniffing, using password-cracking programs or colluding with insiders and employees who later left the organizations. The full results of the report can be found on Phoenix Technologies' Web site..
Another study released this week shows that almost two-thirds of security executives are convinced they have no way to prevent a data breach. In addition, most of them believe their organizations lack the accountability and resources necessary to enforce data security policy compliance. The report, called the "National Survey on the Detection and Prevention of Data Breaches," was prepared by the Ponemon Institute, a privacy and security research firm, and PortAuthority Technologies, a developer of Information Leak Prevention (ILP) solutions.
The report surveyed 853 U.S.-based information security professionals, finding that, despite increased attention and media and public scrutiny, data security still is flummoxing many U.S. corporations. Among the key findings: 59 percent of companies believe they can detect a data breach, but 63 percent believe they can't prevent one -- with high false-positive rates, ineffective policy enforcement and overly costly leak prevention technologies comprising a big part of the problem. Full results of the study are available upon request from the Ponemon Institute or Port Authority Technologies .