Access Risk Management Blog | Courion
According to Verizon's 2012 Data Breach Investigations Report, data breaches have skyrocketed, with 855 incidents and 174 million compromised records in 2011, compared with a low of 4 million records compromised in 2010.
Hacktivists have upped their game. With external attacks from outsiders accounting for 98 percent of data breaches (think organized crime, activist groups, former employees, organizations sponsored by foreign governments) hacking was used in 81 percent of data breaches, and malware reared its ugly head in 69 percent of breaches. With external hacktivists going full throttle, insider breaches appeared meager at four percent, and business partners responsible for less than one percent of the breaches.
Of the victims, 79 percent were targets of opportunity — breached because they were easily exploitable. And 85 percent of those targets of opportunity happened in organizations with less than 1000 employees, with nearly three-quarters in the Retail/Trade and Accommodation/Food Services industries where Point of Service (POS) systems provided the opportunity.
Cybercriminals had a field day with Personally Identifiable Information (PII) (name, address social security number). And if you think that by being compliant with the Payment Card Industry Data Security Standard (PCI DSS) you can't be breached, you need to think again. Just because you're compliant doesn't mean you're secure.
When it came to targeted attacks, companies in the Finance, Insurance and Information sectors were targeted more than other areas — with seven out of 10 targeted attacks against larger businesses. And, strange but true, larger organizations aren't much harder to compromise than smaller ones.
High profile breaches seemed to have occurred on a regular basis in 2011, (think Epsilon, Sony, NASDAQ), and many went unnoticed for weeks and even months. To make matters worse, breaches weren't discovered by the victims; according to Verizon, 92 percent learned about them through third parties.
But what's really unfortunate is that 97 percent of these breaches could have been avoided through the use of simple or intermediate controls!
So what can we do? In today's dynamic business environment, companies have to get onboard with implementing a proven access risk management solution that works for them. One that will protect their business on all fronts — on-premise, in mobile, cloud-based and virtual environments — helping them identify, quantify and manage the risks associated with information access.
Sure, it can be challenging to find a comprehensive solution that offers increased visibility to risks, faster resolution to security and risk issues, and secures your organization from everything the world's throwing at you. So, what have you got to lose by not implementing a strong access risk management solution? Well, maybe everything.
In parting, the Verizon report offers these recommendations to prevent data breaches:
- Eliminate unnecessary data. If you need to keep it, monitor it.
- Establish essential security controls, and monitor them regularly.
- Monitor and mine event logs for suspicious activity.
- Evaluate your threat landscape and create a prioritized security strategy.
For small-medium businesses:
- Use a firewall on internet-facing services to protect data.
- Change pre-set credentials on Point of Sale (POS) and other systems to prevent unauthorized access.
- Monitor third-parties who manage your firewalls and POS systems.