Lately not a day goes by without a major news story on cybercriminals, hacktivists, and spies.  These are generally viewed as the main threat actors behind the data breaches that we spend so much time — and budget — fighting. But what about Anne in Accounting, Sam in Sales and Paul in Production? While malicious attacks are certainly a significant problem and make for thrilling headlines, it’s mistakes made by people and systems that actually cause the majority of data breaches.

According to the 2013 Cost of a Data Breach study, negligence and system glitches together accounted for 64 percent of data breaches last year. These can include employees mishandling information, violations of industry and government regulations, inadvertent data dumps, stolen laptops, and wrongful access.

Today’s business users are nothing if not productive, but too often they don’t think about if they are working with confidential data or if they are protecting it appropriately. The fact is, employees regularly save patient records to thumb drives, transfer customer data to personal devices, and email unreleased product plans to personal webmail. Although well-intentioned, their actions can expose sensitive business information to unnecessary risk. Add advanced threats by external attackers to the mix plus malicious insiders, who are intent on stealing corporate data for their own gain, and it becomes clear that data loss prevention (DLP) is no longer a nice-to-have, but a need-to-have.

CISOs are turning to DLP solutions to effectively protect valuable intellectual property (IP) and personally identifiable information (PII) and keep their organizations from becoming the next headline.  Symantec recently published a research paper examining how DLP programs impact the effectiveness of security executives while also protecting corporate data. We surveyed more than 130 CISOs, VPs, directors and managers responsible for the evaluation, selection, deployment and governance of their organization’s DLP solution.

The Symantec Internet Security Threat Report (ISTR) 2013 reveals how the threat landscape is evolving, compiling information from more than 69 million attack sensors in 157 countries around the world. This year’s report shows more targeted attacks, inceasing focus on smaller businesses, and the continued development of new threats.

Targeted attacks, hacktivism, and data breaches

Targeted attacks saw a 42 percent increase in 2012, to 116 per day on average, with a corresponding increase in data theft and incidents of industrial espionage. Attackers are changing their targets, as well. Small businesses make up a larger percentage of those targeted for attack then in 2011—a threefold increase–with 31 percent of all targeted attacks directed at companies with less than 250 employees. Attackers are finding valuable data to steal from small companies and fewer defenses in place to stop them. Manufacturing is now the most targeted business sector, making up 24 percent of targeted attacks. One of the most significant innovations in targeted attacks is the emergence of watering hole attacks. The attackers compromise the security of a website that an intended target is likely to visit, once the target visits the website their computer becomes infected with malware. This successful tactic, popularized by a group known as the Elderwood Gang, has infected up to 500 companies in a single day.

I read with great interest The New York Times’ “Room for Debate” that discussed whether companies should disclose when they get hacked. When brands big and small suffer a data breach and lose customer data, they are required to disclose the breach based on various state privacy laws that mandate disclosure when personally identifiable information (PII) is lost. But, when hackers get in the backdoor and make off with other valuable IP, we typically don’t hear about it. Opinions on the matter of disclosure run the gamut. Some think mandatory disclosure of security breaches will telegraph weaknesses while others think disclosing cyber-risks is material and investors should know if a company can keep its crown jewels secret.

There’s plenty to debate on this front, but by focusing so much attention on hackers pilfering sensitive corporate data we’re ignoring one of the biggest threats to IP that companies face everyday – our own trusted employees. We need to consider to whom more corporate secrets are lost – the external attacker or the insider?

Defining a data loss prevention (DLP) strategy for your business can seem daunting because it’s not just about technology.  It’s also about people and processes.  Every group in your company can be affected by the loss of intellectual property and other sensitive information. Forwarding-looking security executives are driving DLP initiatives to prevent costly data breaches, comply with strict data privacy regulations, and stop malicious insiders and hackers.  But like any other part of your security plan, it’s not always as simple as just turning on software – rolling out DLP without adequate preparation can derail your plans before you realize the benefits. Whether you’re just thinking about starting a DLP program at your company or have already decided to deploy one, set yourself up for success by avoiding these common pitfalls.

Just two weeks ago, a non-profit healthcare provider was slapped with a $50,000 fine from the Department of Health & Human Services (HHS) for violating the HIPAA security rules, after losing an unencrypted laptop containing the sensitive personal information of 441 patients. This is the first HHS penalty for a data breach involving less than 500 victims.

For small healthcare providers, this signals an escalation in the consequence of a data breach, as organizations will be held accountable regardless of size. A fine of $50,000 is a lot of money for a small practice, especially a non-profit provider.

As we’ve discussed in the past, the average cost per record of a healthcare data breach is $240, which is 24 percent higher than average. As fines become more common, healthcare organizations of all sizes need to make sure patient data is managed appropriately.

With every New Year brings new beginnings and the opportunity to start fresh. While most feel this on a personal level, it fits our work lives as well. Risk managers in an organization (a role normally taken by CISOs) will not only face the plethora of regulations they must follow, but also the effect of employees who bring their own devices into the workplace and utilize virtualized technology assets, big data and cloud computing. With ever changing rules and technology, a typical CISO has their work cut out for them.

As we look forward into 2013, here are some of the risk management trends CISOs will face in the New Year:

• A company will be breached despite passing compliance requirements. This will cause practitioners to focus their security programs on risk management rather than only compliance.

Suppose you were being seated in a roller coaster car. You pull down your lap bar, and the guy sitting next to you refuses, saying he will just hold on while the car twists and turns and flips upside-down, because he finds the restraints uncomfortable. This is obviously foolish; the safety measures are there for a reason, and anyone who doesn’t use them is just asking for trouble.

Business security today is much like our hypothetical roller coaster, with its ups and downs that require protection for our intellectual property and other assets. And one of the most fundamental – yet widely neglected – security measures is the use of full disk encryption (FDE). Let’s look at some of the fundamental questions surrounding FDE, and why you should take another look at it.

Why aren’t more businesses taking advantage of it?

I frequently present on security threats and the Symantec Internet Security Threat Report.  There are many great statistics from the current report, 403M unique variants of malware, 5.5B web attacks blocked, 4,597 web attacks per day, etc.   I frequently describe the different types of attackers, Malicious Outsiders, Insiders, Organized Crime, etc.  The question that is frequently posed after the presentation is “How big of a target are we?”

Many security professionals are looking for the input to the risk formula for the probability of being attacked by one of the attacker types.  Unfortunately, this hard quantitative data does not exist, we can only do our best to estimate it based upon the data and information we have about the current threat landscape, as well as industry and company trends.

As I listened to the opening keynote address at this year’s BlackHat conference, Shawn Henry touched on a number of familiar themes:  defense-in-depth, controlling access to data, operational awareness, and so on.  Shawn made a number of good points, but one really stuck with me, “We have the ability to make our networks and systems a much more hostile (i.e. difficult) environment for our adversaries to operate in.”

This is absolutely true.  Implemented and used properly, technologies available today could certainly make life much more difficult for our adversaries and dramatically reduce the risk of suffering an information security breach.

So why don’t organizations do this?  What’s holding organizations back from implementing more robust security?

I have spent a lot of time thinking about this question and chewing through ideas for how organizations could raise the bar on security.