Yes, Verizon we can hear you now. And, those of you responsible for security at your respective companies perhaps might want to listen too, because this is an exhaustive study: 2012 Data Breach Investigations Report (DBIR). That’s exhaustive, not exhausting — though it runs 78 pages and you might want a break now and then.
The study was done by the Verizon RISK Team in cooperation with the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, and United States Secret Service.
In addition to what it called “mainline cybercriminals,” this broadly based study touched on the effects of the Arab Spring, Occupy protests and hacktivism. “Doubly concerning for many organizations and executives was that target selection by these (hacktivist groups) didn’t follow the logical lines of who has money and/or valuable information. Enemies are even scarier when you can’t predict their behavior.”
Another area of great concern was the “continued attacks targeting trade secrets, classified information, and other intellectual property.”
The study pointed out that 2011’s 855 incidents and 174 million compromised records made it “the second-highest data loss total since (DBIR started) keeping track in 2004.”
Ninety-eight percent of the breaches were the result of external attacks either by organized crime, hacktivist groups or others. And breaches were most often the result of hacking and malware:
- 81 percent utilized some form of hacking up 31 percent
- 69 percent incorporated malware up 20 percent
- 10 percent involved physical attacks down19 percent
- 7 percent employed social tactics down 4 percent
- 5 percent resulted from privilege misuse down12 percent
Not surprising perhaps, the study found that 79 percent of the victims were targets of opportunity. “Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack.”
One thing to note is 85 percent of breaches took weeks or more to discover and 92 percent of incidents were discovered by a third party.