Cookie-Cutter Security Doesn't Work: Report

It's all well and good to be concerned about information security and data breaches, but a one-size-fits-all approach may not be the best way to go.According to a report from the Verizon Business Risk Team (PDF), risk varies depending on your business' specific industry in terms of sources for attacks and their level of sophistication. Verizon analyzed four verticals and found:

1. Financial services: 56% of breaches came from outside of the organization, 41% from third parties (business partners), and 38% from inside of the organization.

2. High-tech services: 55% of breaches came from outside of the organization, 39% from inside of the organization, and 18% from third parties.

3. Retail: 84% of breaches came from outside of the organization, 36% from third parties, and 11% from inside of the organization.

4. Food and beverage: 80% of breaches came from outside the organization, 70% from third parties, and 4% from inside the organization.

The numbers within each vertical add up to more than 100 because many breaches involve multiple sources, the study explains, which goes on to point out that the tech services category was the only one that faced a bigger threat from within than from business partners: "It stands to reason that organizations in this industry likely employ a high percentage of tech-savvy staff and grant them high levels of access to numerous systems. Unfortunately, some find that access to sensitive and valuable resources is a temptation too hard to resist. Facing similar temptations, insiders in the Financial Services industry were behind a large proportion of breaches as well." Along the same lines, the most sophisticated of attacks are happening within the tech and financial services markets, though a bird's eye view of all four markets points to low-difficulty attacks being the culprit at the majority of firms. Another finding: how widespread errors (mostly indirect) contribute to systems being compromised. Hacking was also a major culprit, though in financial services deceit and misuse (using granted resources and/or privileges for any unauthorized purpose) was cited more frequently.

The report breaks down plenty more info, including how attackers are getting in, what kinds of information they're after (three words: payment card data), and the life cycle of a breach. Granted, there's much to take in, but the drilldown exercise that Verizon performed is one you should do for your business as well.

According to Bryan Sartin, a contributor to the report who also spoke with Dark Reading, employing a generic risk calculation, such as the likelihood of insider threats, may be a mistake unless industry-specific factors are accounted for. Although there are many studies and calculators that discuss trends in security attacks, very few of them break their data down by industry, and that breakdown may be crucial to accurately calculating risk in a particular enterprise, he added.