High-profile data breaches at retailers such as Target, Neiman Marcus and Michaels brought the sorry state of corporate cybersecurity into sharp focus last year as millions of customers found the data they had entrusted to companies had fallen into the hands of cybercriminals.
But are you ready for the bad news? It is likely to get worse in 2014.
That’s the takeaway from a report from Verizon to be released Wednesday, which found that hackers are becoming more efficient and organized while many companies are struggling to get even fundamental cybersecurity measures into place.
The number of data breaches is growing quickly, but corporations aren’t managing to keep up with the pace or scope of breaches, according to Verizon’s latest annual Data Breach Investigations Report.
"We’ve got a lagging situation here, where businesses are not acting quick enough to keep up with the capabilities of threat actors,” said David Burg, the global and U.S. advisory cybersecurity leader at PricewaterhouseCoopers (PwC).
The report compiled data from 50 security organizations that track breaches — up from 18 groups surveyed for the report last year. Now in its 10th year, the report was expanded this year to include any compromise of a company’s security system, even if the hacker did not steal data.
The results aren’t pretty. The report found 63,437 incidents in which hackers were able to breach a company’s security system, resulting in 1,367 instances of cybercriminals lifting user data. While a direct comparison to last year’s figures are not possible, Bryan Sartin, director of Verizon’s risk management team, which issued the report, said there appeared to be an increase in the number of attacks carried out by organized groups of hackers — those with signs of being state-sponsored, or by “hacktivists” organized around a ideological ideas.
"There are all these organized criminal groups — and ‘groups’ is the operative word,” Sartin said. “These are not 17-year-old kids. It’s organized criminal groups that are pooling skills, resources and infrastructure for buying, selling and trading stolen data.”
“The bad guys are getting faster as we aren’t getting any better at detecting what they’re doing,” he added.
In fact, while hackers are managing to break into systems more quickly — often within a matter of days or even hours — companies aren’t getting any better at detecting when their systems have been compromised. It often takes months for firms to realize that they’ve been attacked, and many are notified by law enforcement or another outside group, as was the case in the most recent retail breaches.
There’s no one-size-fits-all approach for protecting corporate security systems, Sartin said. But 92 percent of all breaches are related to nine types of attacks — and specific industries often face just two or three specific types of attacks, he said. Roughly one-third of all attacks targeting retailers, for example, are aimed at the point-of-sale system — the culprit in the Target and Neiman Marcus attacks. For companies, identifying which attacks affect their industries the most allows them to make an efficient game plan, Sartin said.
So, too, is knowing what kind of information hackers may want.
In a separate survey of over 10,000 U.S. companies, PwC found that while 69 percent of chief executive officers say they are either “concerned” or “very concerned” about cybersecurity issues, only 26 percent have identified which types of data they hold are the most attractive to hackers.
“It’s hard to have the strategy if you’re not sure what you’re trying to protect,” Burg said.
Burg said industries in which companies have worked together to set high levels of compliance, such as financial services and health care, are best equipped to deal with breaches. In those industries, companies alert each other to potential dangers.
But spreading that to other industries may be difficult. Congress has considered legislation making it easier for companies to share information. But those efforts have been held up by consumer privacy concerns.
In the absence of such legislation, however, the Obama administration in February released a framework to instruct companies on how best to secure their data. Additionally, recent policies introduced by the Federal Trade Commission and the Justice Department have made it easier for companies to share information without having to worry about running afoul of antitrust laws.
Sharing data is invaluable to detecting and preventing large-scale attacks, Sartin said.
“Understanding your threats and your threat profile is the only way to understand what security measures make sense in the real world for you,” Sartin said. “There’s strength in numbers.”