Malware, phishing scams and other old-fashioned hacking techniques took the lead as the primary causes of more than 2,000 confirmed data breaches last year that were examined in a new report by communications company Verizon.
Compiled with the help of 70 national and international cybersecurity organizations, the report used data breach insurance claims as well as data from a dozen contributing companies to examine 79,790 security incidents and 2,122 confirmed data breaches in more than 61 countries.
The good news: Smartphones were relatively safe. Only 0.03 percent per week, out of tens of millions of Android phones within the Verizon Wireless network, contained what was called “truly malicious” malware. Those using iPhones had even less reason to worry since most of the suspicious activity found on the iOS platform were “failed Android exploits,” according to the study.
The bad news: The research pinpointed approximately 170 million malware events — an average of 5 events per second — last year. Companies with confirmed breaches lost around $400 million, an average of 58 cents per stolen record.
Companies are taking longer than experts would like to discover breaches, according to Bob Rudis, lead author of the report and Verizon managing principal.
“The attackers are still moving really fast and getting faster and better, and while the defenders are getting better, they’re still not getting better faster than the attackers are,” Mr. Rudis said during a conference call Tuesday.
Most of the cracks that let hackers into systems could be traced directly to human error.
Ninety-six percent of all security breach incidents fell into 9 patterns that were narrowed down further to categories of miscellaneous errors, crimeware, insider misuse and lost/stolen devices. Common vulnerabilities and exploits — vulnerabilities within software and other systems — followed a similar pattern: 99 percent were compromised long after existence of that vulnerability was identified, with 71 percent being exposed at least a year later.
The latest malware — malicious software downloaded to computers — and phishing attacks — email traps used to break into systems — often appear as the same robbers from a decade ago wearing different masks, according to Amy Baker, vice president of marketing for Oakland security training firm Wombat Security. Wombat was one of the 70 firms tapped to help Verizon compile the report.
“It’s not exactly the same playing field as it might have been 10 years ago when it comes to phishing attacks. They’ve certainly become a lot more sophisticated …,” she said.
Where attacks of yesteryear might have involved a foreign prince and promises of riches through shady exchanges of currency, Mrs. Baker said today’s phishers scan social media for birthdays, job titles and anything else that can be used to create the appearance an email request is coming from a legitimate source.
Regardless of increasing sophistication, companies aren’t taking the possibility of threats as seriously as they could, said Erik Knight, CEO of Phoenix firewall company SimpleWan. He thinks that could change once individuals are held accountable for errors that lead to attacks.
“Traditionally, when you ask why you haven’t seen a whole lot of change in the past decade [it’s] because the liability — what’s basically a slap on the wrist for that company — hasn’t been that big. But with [payment card industry] changes, a lot of medical record changes, the government’s starting to step in,” he said.
“You’ve got Congress reviewing bills, and it’s going to become more and more costly for these businesses to have a breach. When these go down, I have no doubt there will be related firings to go with it.”
First Published: April 15, 2015, 4:00 a.m.
