In its data breach investigations report, Verizon discloses the main breaches (based on 47,000 incidents studied, including 672 confirmed data breaches), findings and recommendations for companies.
First, financial cybercrime appears as the greatest offense present in 75% of cases, followed by espionage at 20%. Cyber theft of intellectual property, confidential information (defense or trade secrets) or regarding national and economic services are main targets.
Main findings
- In 92% of cases, attacks are usually carried out by external perpetrators (hacker spies, criminal organizations or activist groups). These attacks are carried out with the help of internal accomplices in only 14% of cases.
- In 76% of cases, breaches were made through the theft or discovery of passwords, using of malware in 40% of cases and via phishing techniques, which are increasingly popular, in 29% of cases.
- Data breaches could take months or even years to discover.
- More than two thirds of breaches are detected by third parties.
Despite attacks being increasingly sophisticated, most of them could still be easily prevented. In fact, in 78% of cases, the techniques employed are classified as being of very low (10%) or low (68%) difficulty level.
Although most data breaches are deliberate, many are the results of involuntary actions, such as carrying sensitive information home, copying data to removable media, sending information to the wrong recipient or sending a wrong file to the right recipient and forgetting a laptop in a public place.
Here are some of the recommendations stipulated in the report to help reduce breaches:
- Eliminate unnecessary data.
- Perform regular checks to ensure that essential controls are met.
- Collect and analyze security incidents and use these findings in your information security awareness campaign.
- Without de-emphasizing prevention, develop a faster detection system for breaches through a blend of people, technology and processes.
It is often said that people are the weakest security link and with good reason, since they are common targets for attacks. However, human resources can become the first line of defense if awareness is present. They will be able to recognize and thwart social engineering in addition to detecting potential data security breaches.
Considering the magnitude, the various breaches and the many attacks that occur with data, it is important not to ignore these threats.
For more details, please view the following articles:
https://www.verizonenterprise.com/DBIR/2013/
By Patrick Paradis, Information security advisor