Nearly nine in every 10 data breaches could have been avoided by taking reasonable security measures, according to a new report.

Some 87 per cent of data breaches could have been prevented, according to Verizon Business’ 2008 Data Breach Investigations Report, which made 500 forensic investigations of over 230 million records. It also analysed hundreds of corporate breaches including three of the five largest ever reported.

This study also found that 73 per cent of breaches resulted from external sources, against 18 per cent from insider threats. Some 39 per cent were attributed to business partners. Most breaches resulted from a combination of events rather than a single hack or intrusion.

Dr Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions, urged businesses to be more proactive in their approach to security, and to keep better track of data. He added: “Security breaches and the compromise of sensitive information are very real and growing concerns for organisations worldwide.”

In deliberate breaches, 59 per cent were the result of hacking and intrusions, Verizon found. Of those, 39 per cent were aimed at the application or software layer, compared to the 23 per cent that attacked the operating system.

Some 90 per cent of known vulnerabilities exploited had patches available for at least six months prior to the breach.

Three quarters of breaches were discovered by a third party and had gone undetected for a lengthy period.

Verizon also warned that there was a growing worldwide black market for stolen data, especially in the retail and food industries, which accounted for more than half of all cases investigated. By contrast, financial services only accounted for 14 per cent of breaches studied.

The report also suggests that data compromise is the easiest, safest and most lucrative way to steal the information necessary to commit identity fraud.

By breaking into restricted computer systems and compromising sensitive information stored within them, criminals are able to access systems that contain information on tens of thousands of victims versus just a handful through non-electronic means.

Businesses should take a range of simple actions to tackle breaches, the report said. It advised businesses to:

  • Control data with transaction zones. Network segmentation can help prevent, or at least partially mitigate, an attack, the report said.
  • Align process with policy. In 59 per cent of data breaches, businesses had security policies and procedures established for the system, but these measures were never implemented.
  • Create a data retention plan. With 66 per cent of all breaches involving data that a company did not even know was on their system, it is critical that companies are aware of data flows and where they reside, Verizon said. It was important to identify data and prioritise its risk.
  • Monitor event logs. In 82 percent of data breaches, evidence of events leading up to them had been available prior to actual compromise. Data logs should be continually and systemically monitored and responded to when events are discovered.
  • Create an incident response plan. If and when a breach is suspected, businesses must be ready to respond, not only to stop the data compromise but to collect evidence that enables them to pursue prosecution.
  • Increase awareness. Only 14 percent of data breaches were discovered by employees.
  • Engage in mock-incident testing. Running drills and testing peoples’ abilities, judgements and actions during a mock crisis was crucial, Verizon said.