The security and fraud landscape is changing rapidly claims 2011 Data Breach Investigations Report released recently – but how much do we really understand?
These are the figures for the total records compromised across the combined caseload of Verizon and the United States Secret Service (USSS) over the last three years. The three worked together in a cooperative effort to examine approximately 800 new data compromise incidents since their last report.
After 2008’s record-setting 361 million, questions arose within the investigations as to whether 2009’s drop to 144 million was a fluke. Their latest study looks like this was not a fluke, but a sign of things changing.
Data breaches nearly doubled last year but the number of stolen records dropped significantly. This shift is attributed to a change in the cybercriminal landscape said Bryan Sartin, the director of investigative response at Verizon.
“We aren’t dealing with the same organized, resourced hackers we saw in the past,” Sartin said. “It’s increasingly disorganized crime that makes up the threat.” Individuals are targeting small businesses that haven’t got everything compliant with the required standards. Verizon found that 61 % of breaches affected organizations with 11 to 100 employees. Small businesses can no longer hide their heads in the sand and imagine it won’t happen to they won’t be targeted.
In this year’s study, 92% of breaches stemmed from external agents, 22% higher than the previous year.
- 17% were implicated insiders, which is down 31% on last years findings
- 50% utilized some form of hacking
- 49% incorporated malware
- 29% involved physical attacks (which is 14% more than last year)
- Privileged misuse has dropped by 31% to 17%.
- 89% of victims subject to PCI-DSS had not achieved compliance – a rise of 10% on last year, it is therefore unsurprising that 96% of breaches were avoidable through simple or intermediary controls.
Verizon recommends that businesses always do the following in order to lower risks
- Eliminate unnecessary data and keep tabs on what’s left
- Ensure essential controls are met
- Check the above again
- Assess remote access services
- Test and review web applications
- Audit user accounts and monitor privileged activity
- Monitor and mine event logs
- Examine ATMs and other payment card input devices for tampering
But how much of security and computer speak do each of us actually understand?
Retail Fraud reported recently that a company surveyed 1,000 commuters in a London business district to see how much was genuinely understood. The survey carried out was multiple-choice and the results were shocking.
A quarter of the people surveyed believed ‘cloud computing’ to be a data centre in the sky. When asked why a Smartphone was deemed ‘smart’, one third answered that it was because the phone looks cool. Claire Sellick, Event Director for Infosecurity Europe commented. “It was surprising that when asked what a ‘computer cracker’ was, a fifth thought it was a new food for technology freaks.”
While it may seem humorous reading results like that, it is indicative of exactly why cybercriminals are changing their focus to smaller businesses. We each have a responsibility to comply with regulations to protect our customers or clients and our own businesses. Understanding it is the first step.
Loading ...
