Verizon just released its highly anticipated 2014 Data Breach Investigation Report (which reports on security incidents for 2013) and it contains some bad news: the bad guys are getting better and better at hacking into our computers and network servers.
This year’s report gathers security information from companies and government organizations in nearly 100 countries, up from only 27 countries in last year’s report. It contains information on 1,367 data breaches and over 63,000 security incidents.
According to this year’s report, organizations are failing to monitor and properly maintain existing security systems and address weaknesses commonly targeted by hackers. Over the past decade, attackers have significantly reduced the amount of time it takes to compromise a system.
Incident detection is the main problem, as most intrusions are not known for nearly seven months on average. Only a quarter of attacks are discovered in a number of days or less. Most victims don’t even know about attacks until they find out from someone else. The biggest problem is that victims of attacks fail to recognize and react to a cyberattack, which leads to significant data breaches.
Corporate Espionage is Increasing
Hackers are still in it for the money, as 60% of cybercriminals are searching for financial gain. But intellectual property spies are increasing in number, and account for nearly 25% of all hackers.
In 2013, there were 511 total espionage incidents, which mainly targeted manufacturing and public sector companies. The majority of these attacks came from Eastern Asia.
Cybercrime is Evolving
Verizon’s report highlighted the most common hacking techniques that are currently being used, and identified nine specific attacks which make up 92% of the nearly 100,000 security incidents over the past 10 years:
- Point-of-sale intrusions
- Web application attacks
- Insider misuse
- Physical theft
- Miscellaneous errors (such as sending confidential information to the wrong person)
- Payment card skimmers
- Cyber espionage
- Denial-of-Service (DOS) attacks
How Companies Can Protect Themselves
While it is impossible to eliminate all security risks, there are some things companies can do to keep security risk at a minimum:
- Enforce a strong password policy
- Set up a two-step authentication for internal and customer accounts
- Implement a lockout policy after a number of failed login attempts
- Train employees on how to spot potential security breaches
- Keep all software up to date with the latest patches
- Make sure users use a VPN like PRIVATE WiFi when accessing public WiFi or when working from home
Verizon’s 2014 Data Breach Investigation Report is full of many useful recommendations which can help companies significantly reduce security risks.