Over 740 million personal data records held by corporations and governments were exposed in 2013, says an industry association that believes almost all of the breaches could have been avoided with basic security controls.
The statement came from the Online Trust Alliance (OTA), which on Wednesday released a data protection and best practices guide for organizations. Association members include Microsoft, Symantec, PayPal, PricewaterhouseCoopers, Twitter and a number of security and cloud computing service providers.
“Data breaches are nothing new and have been around for quite some time; however, what we are seeing is a significant increase in incidents that not only harm consumers, but businesses as well, leading to a breakdown in consumer trust,” Tim Rohrbaugh, vice-president of information security for Intersections Inc. and an OTA board member. “Having a rigid, black and white approach to security controls and monitoring and being unprepared for an incident will cost businesses more in the end.”
The data exposure numbers come from the Open Security Foundation and the Privacy Rights Clearinghouse.
In addition, the OTA looked at 500 reported data breaches in the last year and figured out that 89 per cent could have been avoided. It also found that of those breaches studied
–31 per cent were due to insider threats or mistakes
–21 per cent were due to physical losses of PCs, notebooks, drives or paper documents
–76 per cent of breaches were due to weak or stolen account credentials, according to a study by U.S. carrier Verizon
–29 per cent of compromises happened through social engineering, Verizon also found
Every year the association releases a best practices guide. This year’s version says best practices can only be achieved when companies are no longer complacent with meeting minimum compliance standards for data protection. Rather, they must meet “the far loftier data privacy expectations of their own customers, by adopting a comprehensive data stewardship strategy that safeguards data across its entire lifecycle, from collection to deletion.”
Organizations should have an effective data incident plan detailing what steps must be taken when a breach happens, the association says. Businesses must be able to quickly assess the nature and scope of an incident, contain it, mitigate the damage and notify all interested parties, including law enforcement and affected customers, it adds.