Hackers are targeting familiar technology, not new devices, says Verizon report
A new report on cyber security risk challenges three common myths: cyber criminals are only interested in government, military and major corporations; attackers prefer to use the newest technologies; and data breaches are easy to detect.
The 6th annual Verizon 2013 Data Breach Investigations Report (DBIR) is the result of collaboration among 19 global organizations, law enforcement agencies, national incident-reporting entities, research institutions and private security firms. More than 47,000 reported security incidents were analyzed and 621 confirmed data breaches from the past year were studied.
Myth 1: ‘We're not on the hit list’
Companies don't have to be a household name for someone to want to disrupt their business. Three quarters of attacks are opportunistic, not targeted at a specific individual or company, according to the survey.
‘The massive scale and diverse nature of cyber-attacks took center stage for all to see more so than any other year,’ says Wade Baker, managing principal of Research & Intelligence for Verizon Enterprise Solutions. ‘Small retailers and restaurants to large banks and government agencies were all victimized by everything from petty crooks to state-affiliated groups. Nobody can have the attitude that it won't happen to me.'
For most industries, attacks are motivated far more by a desire for financial gain or revenge than espionage, the report found. But when it comes to espionage, companies need to be wary of more than just direct attacks and consider the consequences of one of their partners or suppliers being compromised. ‘The knock-on effect within your supply chain could be just as damaging as a direct attack. Worse still, you could be a route to an attack on one of your customers,’ the report warns.
Myth 2: ‘The thieves are using the latest technology’
Data breaches continue to target the same assets as in prior years of the Verizon study -- ATMs, desktop computers, laptops, and file servers rather than nifty new web apps.
‘While the scale and diversity of cyber-attacks have increased, most breaches are no more sophisticated now than in past years. Companies that understand security best practices and abide by them put themselves in a good position to thwart attackers,’ says Baker.
Although hackers are trying new techniques and making use of greater resources, the barriers to entry for becoming a hacker are fairly low. Less than 1 percent of breaches in the latest study used tactics rated as ‘high’ on Verizon’s internal scale measuring the difficulty of an initial data compromise, while 78 percent were rated as ‘low’ or ‘very low.’ A simple tactic, however, can still have a devastating impact.
Myth 3: ‘We'll know what hit us’
When a burglar robs your house you can usually tell pretty quickly. That's not necessarily so with data breaches. In 66 percent of cases, the breach wasn't discovered for months, or even years, according to the report. Unfortunately for companies, the crack detectives who discover a breach are often not in the IT department. Nearly 7 out of 10 intrusions in the past year were detected by a third party, with another 9 percent being discovered by companies’ customers.
What to do now
The most useful thing organizations can do is implement procedures to check and recheck their security practices, says Baker. They also need to better monitor what occurs within their networks, systems, and applications.
To reduce risk, Verizon recommends that companies eliminate unnecessary data, keep tabs on data they retain, and collect, analyze and share incident data to create a rich information source that can improve the effectiveness of their data security programs. They should also regularly measure the number of compromised systems, the mean time until detection and other relevant information in order to drive better practices, the report says.
Corporate boards must also step up their oversight of cyber security. Boards need to ask management how they know they have done enough, whether security controls are doing what they're supposed to do, and how security expenditures are reducing the company’s risk, says Baker.
‘For some, cyber security is not even at the top of the list of things they need to worry about.’ he says.
As for boards, increasing their level of oversight of cyber risk may require recruiting a new director specifically for that purpose, according to other experts on the subject other than Verizon.