This is the tenth year for the Verizon RISK Team study of incidents of cyber crime, and the fifth year I have written about their report (2010, 2011, 2012, and 2013). A set of what they call “eye-candy” begins this year’s report: beautifully simple charts mapping data breaches from 2004 through 2013. If you have any responsibility for securing the data in your company or have concerns over your own personal information I encourage you to at least admire pages 7-12.
Some of my key takeaways:
- Cyber criminals are still looking for financial information with large-scale attacks on payment card systems and point-of-sale devices. 2013 was certainly a year of retailer breaches, and those are continuing into 2014.
- Internal attacks increased slightly over last year’s report, but the main attack continues to be by external actors who are primarily attacking your servers.
- While social engineering has increased as a threat action, hacking and malware continue to be the main ways the cybercriminals get into your systems.
- The report shows a significant increase in Web Application attacks which take advantage of weak security and flaws in the programs that interface between the user and the data.
- Point of Sale (POS) devices continue to be a target, with more sophisticated attacks each year. Whether you have one POS device in your single store or thousands scattered around the country or world, each needs to be protected.
Discovery and mitigation of a breach continues to be a real problem for most companies. Most attacks can compromise your data in a day or less. Most companies take weeks or more to discover the attack. What is far worse is that while companies as a whole are getting better at internal monitoring, the majority of breaches are still discovered by someone else including fraud detection by payment card processing companies and law enforcement, or other third parties. Over the past ten years the cybercriminals have gotten better at getting in and stealing data quickly, while companies have gotten worse at discovery.
The Verizon report contains specific recommendations for each type of attack. It is sad to note that these recommendations change little from year to year. In general, we are losing the war against the cybercriminals, especially as countries are actively using cyber-terrorism to support national issues. As just one example, the FBI is investigating a recent attack against five large US banks that may be instigated by the Russian government in retaliation for the US sanctions against Russia over the Ukraine.
If you are responsible for the security of PCI (Payment Card Industry) or HIPAA (health-care) information then you know you must be compliant. But that means more than just satisfying an internal or external audit. It means really embracing the business need to protect that data. Your company might not be able to survive the financial and reputation penalties of a significant breach, whether caused by an act of war, a criminal gang, or a disgruntled or unthinking employee.
The last word:
I do not often quote President Obama favorably, but his “Don’t Do Stupid Stuff” policy is right on in a number of areas, including data security. The vast majority of data breaches are enabled by someone doing something stupid. Do not let it be your company, or your personal finances.
On the other hand, President Obama’s “We don’t have a strategy [long pause] yet” statement really comes under that “stupid” category. He was referring to ISIS, but when your CEO asks you what your strategy is for data security, I suggest you do not repeat the President’s statement. ISIS formed in 2004, and by February 2014 al-Qaeda cut all ties to ISIS due to its brutality. Certainly by August 2014 the President of the United States ought to have a well-formulated strategy for dealing with them. Verizon has been making their annual data breach summaries freely available for ten years. You do not have any excuse for not having a well-formulated strategy for dealing with cybercriminals and cyber-terrorists.
Keep your sense of humor.