Verizon’s “Hacktivism” 2012 report analyzed 855 data breaches in 2011, finding that both small and large businesses are experiencing the second highest data loss since the report’s inception in 2004. Written to help prevent future breaches in 2012, the report carefully breaks down and analyzes global data breach statistics from 2011 and offers recommended solutions. So what did the report find? On a high level, small and large businesses alike suffer from data breaches, primarily from external agents.
According to the report, data breach attempts in 2011 were primarily high volume and low risk attacks aimed at weak targets. As was true in past reports, attacks targeted trade secrets, classified information, and other proprietary information. These data breaches comprised largely of stolen or guessed credentials to gain access to a business’ data records. At least four businesses were forced to dissolve their organization as a result of data security breaches.
Where are these breaches coming from? A full 98% stemmed from external agents, up 6% from last years report, and 58% was tied to activist groups (commonly known as hacktivism). Internal employees committed 4% of breaches, down 13% from last year. And finally, business partners were responsible for less than 1%.
How are the security systems being breached? The report found 81% of breaches utilized some form of hacking, up 31% from last years report. While 69% incorporated malware, up 20% from the previous year. Down 19%, only 10% involved physical attacks. Also down from last year, 7% employed social tactics. And finally, 5% resulted from privilege misuse, also down from last years report.
So what can you do? Is there any hope to protecting your data from external cyber intrusions? YES. Verizon suggested the following:
- Implement a firewall or ACL on remote access service
- Change default credentials of POS systems and other Internet-facing devices
- Make third-party vendors aware if you are using one
- Eliminate unnecessary data and keep a record on what’s left
- Ensure essential controls are met and regularly check that they remain in effect
- Evaluate your threat landscape to prioritize your strategy
The government is taking note as well. The proposed amendment to the National Security Act of 1947, CISPA (Cyber Intelligence Sharing and Protection Act), would give the U.S. government additional options and resource to ensure the security of networks against attacks and enforce copyright and patents. The bill is under fire because few safeguards are included as to how data may be used.
Advocates of Internet privacy such as the Electronic Frontier Foundation and Avaaz.org, oppose the controversial bill. Another critic, Michelle Richardson, a legislative counsel at the American Civil Liberties Union, told the Huffington Post the bill was “a privacy disaster” and “a new backdoor around the Fourth Amendment.” On the other hand, several advocacy groups including the Business Software Alliance, CTIA, The Wireless Association, Information Technology Industry Council, Internet Security Alliance, plus major telecommunications and information technology companies like Verizon, Facebook, Intel, Oracle, Microsoft, IBM, AT&T and Symantec. It will be interesting to see how this bill unfolds, you can track the progress of CISPA here.
Of course, data security is a hot topic in the legal community. Our CEO, Rakesh Madhava will be speaking at the Chicago Bar Association’s Cyber Law and Data Privacy Committee coming up on June 14th from 2-5pm for a Data Security Data Breach 101 seminar. The “Practical Considerations on Protecting Electronic Data” panel with feature Rakesh specifically addressing internal data storage, “Data kept for internal use- Store locally or in the cloud?” Other participants include members from the FBI Cyber Intrusion Squad, the FTC and legal representation from McGuire Woods.