Organizations could be doing a lot more to prevent information security breaches. That’s one of the key findings of Verizon Enterprise Solutions’ 2015 Data Breach Investigations Report, the company’s latest installment of the state of cyber security preparedness.
While that assessment might be obvious to many—in light of the number of recent high-profile data breaches—the report makes some interesting observations about where companies are at with security and what challenges they’re facing.
Many organizations are still open to lots of existing vulnerabilities primarily because they have never deployed information security patches, says the study, which analyzed more than 2,100 confirmed data breaches and about 80,000 reported security incidents. Verizon is among 70 global organizations that contributed data and analysis to this year’s report.
Many information security breaches could be avoided if companies were more vigilant about their security strategies, the report says.
“we continue to see sizeable gaps in how organizations defend themselves. While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases.
Mike Denning, Vice President of Global Security, Verizon Enterprise Solutions
The problem of these security gaps is nothing new; it has been a key theme of the Verizon breach reports over the years, Denning says.
An interesting finding is that although security attacks are becoming more sophisticated all the time, many attackers continue to rely on techniques that have been around for decades. A large majority of attacks (70%) use a combination of phishing and hacking techniques and involve a secondary victim, and this adds complexity to breaches, Verizon says.
The report maintains that mobile security threats have been overblown, which is also interesting because so much attention in the industry is being paid to mobile app and device security. Overall, the breach report says, the number of exploited security vulnerabilities across all mobile platforms is “negligible”.
Verizon security researchers discovered that a huge majority (96%) of the nearly 80,000 security incidents they analyzed could be traced to nine basic attack patterns that vary depending on the industry. These patterns include miscellaneous errors, such as sending an email to the wrong person; crimeware (malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; Web app attacks; denial-of-service attacks, cyber espionage; point-of-sale intrusions; and payment card skimmers. The report says 83% of security incidents involve the top three threat patterns, and this is up from 76% in the 2014 report.
The longer it takes for enterprises to identify that a breach has occurred, the more time attackers have to penetrate defenses and cause damage. More than one quarter of all data breaches take organizations weeks and sometimes even months before a breach can be contained.
The Verizon report also covers the hot topic of security with the emerging Internet of Things (IoT). It examines security incidents in which connected devices were used as entry points in order to compromise other systems, and co-opting IoT devices into botnets that are infected with malicious software to perform denial-of-service attacks.
The findings about IoT and connected devices reaffirms the need for companies to make security a high priority when deploying “next-generation intelligent devices,” the report says.
For this study, Verizon security analysts used a new assessment model for gauging the financial impact of a particular security breach based on the analysis of nearly 200 cyber liability insurance claims. The model accounts for the fact that the cost-per-record stolen is directly impacted by the type of data and the total number of records compromised, and shows a high and low range for the cost of a lost record such as a credit card number or medical health record.
For example, the report says, the model predicts that the cost of a breach involving 10 million records will fall between $2.1 million and $5.2 million, 95% of the time. And depending on circumstances, it could range up to as much as $73.9 million. For breaches with 100 million records, the cost will be between $5 million and $15.6 million, 95% of the time, and could cost as much as $199 million.
Verizon’s security researchers provided a number of recommendations for organizations looking to strengthen security. These include a need for increased vigilance; make people the first line of defense; only keep data on a “need-to-know basis”; apply patches promptly; encrypt sensitive data; use two-factor authentication; and don’t forget physical security.
Clearly, the numerous attention-grabbing data breaches over the past year has raised more visibility for security. “It was the year when so many high-profile organizations met with the nigh inevitability of ‘the breach’ that ‘cyber’ was front and center at the boardroom level,” the report says.
I invite you to download this executive brief and learn how security leaders can take a more proactive approach to their security operations, and weave it into the total IT strategy: