If you're an IT security pro, you already know what this column is about. If you're not, you should download Verizon's "2008 Data Breach Investigations Report" right now. There's lots of horrifying data in there, but this is the one that shook me: Almost half of data thefts now come by way of our business partners.
That's right: Increasingly, attackers aren't trying to get through our security perimeters. Instead, they get inside the systems of suppliers, customers and contractors we trust, and from there, we're sitting ducks.
In 2003, only 8% of the attacks Verizon documented came that way. In 2007, 44% did.
And that percentage is likely to continue to rise.
Understand that this study from Verizon's security services group is based on metrics from more than 500 cases the company was hired to investigate. That's the study's strength and its weakness. It's naturally skewed to cover incidents that were worth calling in a security outfit about.
Then again, those are the ones that keep us up at night.
As you'd expect, the first few pages are a thinly veiled soft sell for Verizon's security services. Don't give up; the numbers start on page eight.
Some of what Verizon itemises is common sense. But some of it demolishes our expectations. It turns out that only 18% of these attacks were launched by insiders (so much for the old "80% of security breaches come from the inside" myth). In 78% of the cases, fully patched systems wouldn't have stopped the breaches. And 55% of the attacks required no great technical chops — just script-kiddie capability.
And despite all the investments we've made in security monitoring, 70% of the breaches were discovered only after outsiders tracked the source of identity theft and other problems back to people like us.
What does the report recommend? Put simply: Monitor your systems, review the logs, and put processes in place to deal swiftly with security problems when they're reported.
There's more to it than that, of course. Read the report. Don't just hand it off to your security people. If you're a CIO or an IT manager or a sysadmin, you need to know what it says.
Then you need to change the way you think about security. Especially as it relates to partners.
That 44%-and-growing number is the one that should scare you. These are organisations we have to trust enough to let them connect to our systems. But we can't choose them; business users and executives do that. We don't run their systems. We may not be able to vet their security or force them to improve it.
We have to set up their connections fast, frequently on short notice and always according to what the business guys want, not what security demands. We have to let them inside our perimeter — but we can't secure their perimeters.
And the bad guys have figured out that every partner is now a potential attack vector.
What does Verizon recommend? Implement basic partner-facing security measures. Tighten up every aspect of your connections with partners, from provisioning to permissions. That's all good, practical advice.
But first you'll have to accept a new reality: Business partners aren't just an extension of your business. They're a potential threat — and your worst enemies know it.
Then get ready to explain to your CEO why you want to treat every partner like your worst enemy.