What
are some of the most interesting takeaways from Verizon’s latest annual
security report?
Data breach, yawn. Those two little words
that occur so frequently in the media and will have you switching off. Last
week, Verizon released their 2019
Data Breach Investigations Report (DBIR) which provides valuable insight
spanning across 86 countries and 41,686 incidents.
The executive summary of the DBIR articulates
the issue perfectly in stating that “No organization is too large or too small
to fall victim to a data breach. No industry vertical is immune to attack.
Regardless of the type or amount of your organization’s data, there is someone
out there who is trying to steal it”.
Numbers speak volumes, so here are the
highlights of the report:
·
69% of
attacks are perpetrated by outsiders
·
39% of
all attacks are perpetrated by organized criminal groups
·
23% of
bad actors are identified as nation-state or state affiliated
·
43% of
breaches involved small businesses victims
·
52% of
breaches involved hacking
·
33%
included social attacks
·
28%
involved malware
Are there any numbers here that shock you?
Probably not at first glance. So, let’s consider the 2nd tier of numbers: the DBIR finds that 34% of attacks involved an internal actor. That’s right, the person
standing next to you at the coffee machine could be stealing company data or
working with someone externally to steal company data.
On the inside
Two weeks ago, I attended the opening
reception of a venture capital office in Silicon Valley. The fund focuses on
cybersecurity companies, so, as you would expect, the interest of the attendees
had a bias. One attendee was talking about an internal system using, in their
words, “artificial intelligence” that the company had developed to profile
employees on the probability that they could act negatively towards the
company, for example steal data when leaving, or be part of a data breach or
other activities that could be detrimental to the business.
Not all businesses have the resources,
inclination or skill sets to profile employees in this way, or at least not
yet. I am certain that within 10 years this will be a standard feature of a
human resources system. The idea that employers may analyze every interaction
that their employees have in the workplace will no doubt make many of us a
little uncomfortable. It all feels too much like George Orwell’s book ‘1984’.
The interesting element is that a company has
resorted to protecting itself from the human element, an issue that can evade
cybersecurity solutions. I say ‘can’ as anti-phishing, data leakage prevention
and such like do help protect from human mistakes causing incidents.
Meanwhile, financial gain is the most
prevalent driver behind a data breach at 71%, according to the DBIR, as
espionage came in second with 25%. This highlights that cybercrime is a
business and can be very lucrative for those involved. If a data breach includes
personal, credit card and CVC data, then the bad actors have a relatively
simple opportunity to monetize their efforts.
What other
stats say
Last week, ESET Asia Pacific (APAC) also released statistics, taken from 7 countries in the
region with 2,000 respondents in each. There are some interesting similarities
with 27% declaring a data breach was due to malware, compared with the DBIR’s
28%. Here are the takeaway numbers from the survey:
·
58% of
respondents in APAC experienced a data breach in the past 12 months
·
27%
suffered a “virus attack”
·
20%
suffered a social media breach
·
19% had
their personal data stolen and used
The survey also asked what actions a company
should take once they are aware of a data breach:
·
32%
said that the companies should apologize and inform customers what happened and
how the problem was resolved
·
25%
said that the companies should provide proof that the right systems were in put
in place
Personally, I think companies should provide
proof that the right systems were in place at the time of the breach and this
was beyond their control. But then I have been the victim of a data breach in
the last 12 months, and there is a blog post on its way later this month
with more details.
Let’s conclude with a number of proactive
steps that companies can take to tackle the issue of data breaches, including:
·
Limit
access to company data to only those who need it
·
Patch
and update software as soon as possible
·
Secure
systems with two-factor-authentication (2FA)
·
Encrypt
data in transit and at rest
·
Keep a
watch on the threat from inside
·
Educate
employees on the risk and how to be vigilant
·
Implement
effective security solutions