We love data here at CSID, and one of the things we look forward to each year is Verizon’s annual Data Breach Investigations Report. This annual report takes a look at the past year’s cyber security incidents and identifies trends, statistics and provides analysis. This year’s report looked at over 63,000 global security incidents from 2013 – an alarming number that underscores the myriad of cyber security challenges that consumers and businesses face. We recommend giving the report a look, but if you are pressed for time, here are a few observations from this year’s report that mirror some of the trends that we’ve been seeing here at CSID.
2013 was the year of Point-of-Sale system attacks.
The Verizon report looked at 198 total Point-of-Sale (POS) system incidents, all of which resulted in data loss. In previous years, POS system attacks were mostly confined to SMBs, and they still largely are. But the high profile, high impact breaches of Target and Niemen Marcus in late 2013 brought the vulnerabilities inherent in POS systems into the limelight. To learn more about how POS system breaches happen, check out this Huffington Post piece by CSID president, Joe Ross. Overall, POS breaches have been decreasing over the last several years, but a resurgence in RAM scraping malware and the popularity and success of the Target breach may change this trend in 2014. The FBI has warned retailers to prepare for more cyber attacks of this sort.
When it comes to security, humans are your weakest link.
We’ve said this before and we’ll say it again, if you have a human component to your security system (and most security systems do) that human is going to be the likeliest source of a breach. Verizon accounts for this in their “Miscellaneous Errors” section of the report and aptly states in their key findings “people screw up sometimes.” The most common miscellaneous error that resulted in lost data was misdelivery (44% of 16,554 analyzed incidents), which includes sending paper documents or emails to the wrong recipients. Misdelivery is followed by publishing errors (22%) and disposal errors (20%). Keeping human error in mind, some businesses we have spoken with over the past couple of years are operating under the assumption that employee and consumer credentials are already compromised and are taking proactive measures to mitigate the financial and reputation impact of these compromised credentials. Our ETI service offers a good solution for this approach.
Device theft and loss will gain importance as more businesses adopt BYOD.
This category is pretty self-explanatory – when a laptop or phone with sensitive information goes missing, that constitutes a data breach. While the loss or theft of devices isn’t really “cyber-y”, they do make up a large portion of the data loss incidents reported by businesses. This is especially true for the healthcare industry. In October 2013, Seton Hospital here in Austin, Texas had an unencrypted laptop stolen that held medical data for more than 5,000 patients. The type of data theft and loss holds a valuable lesson – when it comes to cyber security, we can’t forget the basics. Sensitive data must be stored and encrypted properly, businesses need to implement BYOD security procedures that can mitigate the impact of a lost device, and employees and consumers need to exercise common sense and not leave a laptop of phone aimlessly unattended or generally unsecured.