Verizon has just released their 76 page 2012 Data Breach Investigations Report. This is a study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, and United States Secret Service.
The study contains a wealth of information for both small and large organizations. Since most small businesses don’t have full-time, dedicated IT security staff pouring over these kinds of reports, we thought we’d do that for you and give you the high points. If you like to read it for yourself, you can find it here. http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Our next posts will cover how these findings provide a clear road-map for the security conscious small business.
From the Report –
Cyber-Criminals continued to automate and streamline their methods of high-volume, low-risk attacks against weaker targets. Thus creating an “industrialized” approach.
Target selection is based more on opportunity than on choice . Most victims fell prey because they were found to possess easily exploitable weakness rather than because they were pre-identified for attack. Whether targeted or not, the great majority of victims succumbed to attacks that cannot be described as highly difficult .
- 79% of victims were targets of opportunity
- 96% of attacks were not highly difficult
Smaller organizations represent the majority of victims. This relates to the breed of “industrialized” attacks mentioned above; they can be carried out against large numbers in a surprisingly short time-frame with little to no resistance. Smaller businesses are the ideal target for such raids, and money-driven, risk-averse Cyber-Criminals understand this very well . Thus, the number of victims in this category continues to swell
Organized criminal groups were once again behind the lion’s share of all breaches. Why are they doing this? They do it for the money, most data thieves are professional criminals deliberately trying to steal information they can turn into cash
It is apparent money-driven crooks continue to focus more on opportunistic attacks against weaker targets. Instead of major and risky heists, they pilfer smaller hauls of data from a multitude of smaller organizations that present a lower risk to the attacker . Think of it as a way to streamline business processes .find an easy way to prey on the unsuspecting, the weak, and the lame, and then simply repeat on a large scale . This high-volume, low-yield business model has become the standard MO for organized criminal groups
The most effective and efficient approach is almost always to stop assailants before they get in the door. Most opportunistic criminals will not expend their resources on a hardened target while a softer one of similar perceived value is available .
Smaller organizations often do not have the knowledge or resources necessary to address flagrant weaknesses in their Internet-accessible assets that cause them to be identified for opportunistic attacks.
Well over half the time, the victim’s data was removed within hours of initial compromise
Perpetrators rarely know who they are hacking. In most cases they only learn the identity of their victim after they have gained unauthorized access