Who Says Financial Industry is More Secure?

Though all technology users face the risks of data loss, there are degrees of variability across different industries.

The food services industry, for example, faces higher incidents of external attacks while the financial services industry is at greater risk from insider attack. That’s the core finding of a new Verizon Business Data Breach supplementary study analyzing four years of data that included some 230 million compromised records.

Verizon’s new data analysis comes as the payment card industry (PCI) and others ramp up efforts to prevent data loss.

“Financials in general tend to be more secure and less subject to compromise events,” Bryan Sartin, director of the investigative response team at Verizon Business, told InternetNews.com. “What you are seeing are more inside jobs; finaincials are better secured against the outside but where the vulnerabilities exist they are internal.”

According to Verizon’s simplified risk calculation matrix based on its data across the financial, food, retail and technology sectors, the overall likelihood of an external data loss incident is 73 percent. For financials alone the likelihood is only 56 percent. However, when it comes to internal sources of data loss, the overall likelihood is 18 percent while in the financial vertical the number jumps to 38 percent.

Sartin noted that the volume of unique records per case in the internal data loss incidents in the financial industry is also substantially higher than other verticals.

“So maybe they [financials] are more secure but the problems they do have tend to be far worse,” Sartin said.

When it came to insider threats, the food industry had the lowest likelihood of data loss at only 4 percent. In contrast though, the food industry had the second highest likelihood of external loss at 80 percent (retail came in at 84 percent).

“In a restaurant environment versus financials or high tech, inside jobs are unique because the restaurant tends to be a small entity,” Sartin explained. “It’s far more rare for even large chains that settlement requests for authorization [are routed] to a central point. They usually go out directly to the credit card processor.”

While the risks related to external and internal threats are important to identify, there is a third source of data loss risk and that comes from business partners and outsourcing.

“From the numbers we see it’s pretty simple to derive a higher risk factor around external business partner relationships particularly those related to outsourcing,” Sartin said.

However, the blame doesn’t necessarily rest with outsourced business partners alone as the data loss risks are still the same that industries face from internal and external threats. The fundamental issue, according to Sartin, is looking at data as the item that needs to be secured.

“The data says yes there is perhaps more risk there [with outsourcing] but what it really underscores it the idea that there is still a circa 1998 mentality that people have around information security,” Sartin commented. “They are all about protecting the company against the outside world.”

In Sartin’s view, all IT users need their fingers on the pulse of data within an organization, ensuring that all access is monitored and tracked to ensure that data is not lost.

One positive step in the right direction to ensure data is protected it the PCI-DSS compliance requirement, which protects payment card data. According to Verizon’s data, payment card data is most often why systems come under attack. While some have argued that PCI compliance doesn’t necessarily mean an enterprise is secure, Sartin is of the view that PCI sure does help.

“PCI-DSS is one of the better demonstrated programs to set companies up for success in terms of keeping their companies out of the headlines for security breaches,” Sartin commented. “I think PCI is pretty darn effective, but you still need a little more than and tailoring is where there is some perceived benefit.”

Sartin suggests that enterprises should always look for ways to tailor data loss security prevention around real points of risks in an environment. Protecting against data loss from external, internal and partner outsourcing related risks is also a critical step in the right direction for data loss prevention.

“You need to look at where is the data and if you don’t need it don’t store and if you have to store it make sure it’s secured.”

News Around the Web