A deluge of data reports have been recently published and we have compared the findings from the likes of Verizon, the Department for Business Innovation and Skills (BIS), FireEye, and Trustwave to identify some of the key trends and issues that have emerged over the last year.
What types of data breaches are taking place?
External threats continue to account for the vast majority (92%) of data breaches, of which the leading source (75%) remains “financially motivated cybercrime”. According to Verizon, more than half of all external breaches are tied to organised criminal groups, many of whom are based in Eastern Europe, carrying out activities such as spamming, scamming, payment fraud, and identity theft.
More surprisingly, Verizon reported that state sponsored “cyber espionage” made up 21% of all data breaches. Of those, 96% were said to be attributable to state-affiliated entities tied to China. These types of attack usually target classified information, trade secrets, intellectual property, financial data, and insider information. Due to the increasing number of sophisticated cyber-espionage attacks on the UK government and industry networks (reportedly up to 70 attacks every month), the British government announced earlier this month that it is launching the Defence Cyber Protection Partnership (DCPP), working with a number of private defence and telecom companies, including HP, BAE Systems and Rolls Royce, to tackle cyber threats in the UK.
“Hacktivists” such as LulzSec and Anonymous still gain attention in the press for their high-profile data security breaches. However, Verizon found that they carried out just 2% of all breaches. Nevertheless, the high profile nature of those breaches, such as the Sony PlayStation Network hack, means that they have the potential to cause disproportionate financial and reputational damage.
Only 14% of attacks involved “insiders” and, of those, customer service personnel such as cashiers, waiters and bank tellers were responsible for 46% of breaches. Other significant contributors were end-users, administrators, managers and executives. The activities carried out by “insiders” ranged from simple card skimming to far more complicated plots to smuggle corporate IP to competitors. As in previous years, most internal breaches were due to lax internal practices, human error or deliberate misuse of systems.
Although the sophistication of attacks is growing, the vast majority of all forms of breach were relatively unsophisticated and could have been prevented by relatively unsophisticated techniques such as maintaining better password protocols or properly updating firewall, and antivirus/malware software.
Who was most affected?
Retail, food and beverage, and hospitality industries suffered the greatest number of incidents. This was largely due to vulnerabilities in the payment systems and software that they use. The financial services sector saw a small increase, but better security controls means companies are relatively better defended against breaches.
FireEye found that some industries are attacked cyclically, whilst some experience erratic attacks. For example, the banking, business services, and legal sectors all experience high volatility. Low volatility sectors include technology and telecoms, which are targeted fairly consistently. Other sectors, such as healthcare, energy and government can be harder to predict. For example, the healthcare sector was recently listed as one of China’s priorities in its 15 year science and technology strategy, which reportedly coincided with a surge in cyber espionage campaigns against healthcare firms.
The reports vary in their analysis of the distribution of attacks between small and mid-sized businesses. Verizon suggested that the proportion of attacks against large and medium businesses had increased. On the other hand, BIS found that the number of small businesses affected and the sophistication of security breaches had increased in the past year. However, the reports agree that businesses of all sizes reported an increase in the number and cost of the breaches.
The BIS research has shown that the cost of a serious security breach to a large organisation was £450k to £850k. The average cost to a small business was £35k to £65k. The total cost of security breaches to UK plc is billions of pounds per annum and was estimated to have tripled over the last three years.
Both reports agreed that spotting and detecting a data breach still takes companies far too long, thus increasing the financial and reputational losses suffered. In 2012, Verizon found that 56% of breaches took a month or more to be discovered, with the figure increasing to 66% in 2013.
If last year was the year of the “hacktivist”, this year seems to be the year of “cyber espionage”. External attacks continue to be responsible for the majority of data breaches, and the methods used to carry out the attacks are becoming more sophisticated. The majority, however, are fairly simple and preventable, but are not being detected promptly which increases the resulting cost and damage to the affected organisation.