McAfee: Breaches Escalating Despite Better Education, Technology

Despite increases in security education and technology spending, breaches continue to soar, and on average IT pros have dealt with six breaches over the course of their professional lives.

That’s according to McAfee’s new report, Grand Theft Data II – The Drivers and Shifting State of Data Breaches. The company surveyed 700 IT security professionals from commercial and enterprise organizations globally to learn about their data breach experiences.

Despite improvements in combating cybercrime and threats, IT security professionals still struggle to fully secure their organizations and protect against breaches, with 61% claiming to have experienced a data breach at their current employer.

Adding to this challenge, data breaches are becoming more serious as cybercriminals continue to target intellectual property, putting the reputation of the company brand at risk and increasing financial liability.

McAfee’s Candace Worley

Candace Worley, vice president and chief technical strategist at McAfee, tells us data exfiltration is a risk whether you hold the data in your data center or your provider holds it in his/her data center.

“Whether you’re managing your security or you’ve outsourced it to someone else to manage, you’re ultimately the one that will be held accountable for a data breach,” she said. “That means that organizations that leverage service providers need to build into their contracts language that protects them as much as possible in the event of a data breach. For example, the ability to audit security controls, understand where their data is being stored (both primary and back-up versions), SLAs on remediation and liability in the event of a breach, [and so on].”

There is a big difference between what the law says and the court of public opinion, Worley said. The laws may be on your side depending on your geography, but if your service provider loses your data, your customers likely will still hold you responsible, she said.

The McAfee report highlights the following:

• Data now is being stolen by a wide range of methods, with no single technique dominating the industry. The top vectors used to exfiltrate data are database leaks, cloud applications and removable USB drives.
• Personally identifiable information (PII) and intellectual property (IP) are now tied as the data categories with the highest potential impact, to 43% of respondents.
• IT is looked at as the culprit with 52% of respondents claiming IT is at fault for creating the most data leakage events. Business operations (29%) follows as the next most likely to be involved.
• Security technology continues to operate in isolation, with 81% reporting separate policies or management consoles for cloud access security broker (CASB) and data loss prevention (DLP), resulting in delayed detection and remediation actions.
• There is a rift in regard to accountability, as 55% of IT professionals believe that C-level executives should lose their job if a breach is serious enough, yet 61% also state that the C-level executives they work with expect more lenient security policies for themselves.
• IT professionals are taking action, with nearly two-thirds stating they have purchased additional DLP, CASB and endpoint detection solutions over the last 12 months. Respondents believe that between 65 and 80% of breaches experienced likely would have been prevented if one or more of these systems had been installed.

Organizations need to practice good digital hygiene, Worley said.

“The cloud has taught us that you can …