Organized Crime Involved in Most Data Breaches
U.S. Secret Service and Verizon also say the vast majority of breaches could have been avoided with basic precautions.
Organized crime syndicates were implicated in 85 percent of all data breaches last year, according to information compiled by Verizon and the U.S. Secret Service for the 2010 Verizon Data Breach Investigations report released Wednesday.
The report, which investigated more than 900 serious data breaches that compromised more than 900 million online records, also found that the vast majority (96 percent) of the breaches could have been avoided had companies and organizations implemented basic security technology and policies.
This latest data confirms what security experts have been saying for years: Cyber criminals are highly organized and capable of extracting personal information from customers and companies using socially engineered malware and sophisticated phishing scams to quickly turn stolen data into cash and goods -- all from a browser.
"This year we were able to significantly widen our window into the dynamic world of data breaches, granting us an even broader and deeper perspective," Peter Tippett, vice president of technology and enterprise innovation at Verizon Business, said in the report. "By including information from the Secret Service caseload, we are expanding both our understanding of cyber crime and our ability to stop breaches."
The report said that companies and consumers need to step up their use of security software applications -- and simple common sense -- to thwart cyber threats, many of which come from insiders who have access to customer data and account information and then either use it themselves or sell it to organized crime organizations.
"Being prepared remains the best defense against security breaches," the report said. "For the most part, organizations still remain sluggish in detecting and responding to incidents."
The report found that 48 percent of data breaches were committed by insiders who abused their right to access corporate information. Another 40 percent of the breaches were the result of external hacking and 28 percent were facilitated using social tactics. And 14 percent were of the smash-and-grab variety, essentially physical attacks involving the theft of servers, laptops, USB drives and the like.
Most breaches are preventable
Sixty-nine percent of the breaches covered in the study were orchestrated by people outside the company or organization attacked. Another 11 percent were conducted by business partners and third-party organizations that had some level of access to the data-hosting company's network.
Security experts for Verizon Business and the U.S. Secret Service said that of the 900-plus breaches they scrutinized, only 4 percent required what they deemed "difficult and expensive protective measures" to thwart.
More troubling, the report said that despite the increased awareness of cyber crime in general and industry-specific educational campaigns, a full 60 percent of companies breached in the survey found out about the attack from an external source.
"While most victimized organizations have evidence of a breach in their security logs, they often overlook them due to a lack of staff, tools or processes," the report concluded.
Most damning, particularly for small and midsized businesses that lack either the resources, the acumen or the interest in investing in basic security applications and policies, 79 percent of the companies victimized were not in compliance with the PCI-DSS standard requiring companies to adequately safeguard customers' credit and banking account information.
This lack of basic security protocol has led three states to pass legislation in the past year that allows banks to recover certain costs and damages from retailers and credit card processors who fail to comply with current PCI-DSS standards.
It also worth noting that neither Verizon Business nor the U.S. Secret Service found any correlation between an organization's size and its chances of suffering a data breach.
Certain industries were also more likely to be hit by attackers. Financial services, hospitality and retail companies were targeted in the vast majority of breaches at 33 percent, 23 percent and 15 percent, respectively. Additionally, though only hit in a third of the total breaches, financial services firms accounted for a staggering 94 percent of the total records compromised by cyber attacks last year.
"Thieves are more likely to select targets based on the perceived value of the data and cost of attack than victim characteristics such as size," Verizon researchers said.
July 28, 2010
Offerings for small businesses with big security needs range from a complete hardware solution from Juniper to managed services from KACE.