Verizon recently published its 2013 Data Breach Investigations Report. It contains a number of troubling findings about companies’ exposure to data breaches, which could threaten proprietary information and trade secrets.
While many think that these issues only affect large companies, the report found that 31% of breach victims were companies with fewer than 100 employees. So this threat affects all companies, regardless of size. Here are some key findings and takeaways:
76% of network intrusions exploited weak or stolen credentials.
Companies must ensure that their employees periodically change passwords, as well as require that passwords contain a minimum number and type of characters.
19% of all attacks analyzed this year were perpetrated by state-affiliated actors. . . .In most industries, you’re still much more likely to suffer an attack motivated by financial gain or revenge than espionage.
While news reports often focus on state-sponsored cybercrimes (China has been in the news a lot lately), it is those who stand to gain financially or who have a personal motive to do harm—often competitors and former employees—who present the greatest threat.
Over half of the insiders committing sabotage were former employees taking advantage of old accounts or backdoors that weren’t disabled.
It is absolutely critical to have a standard process in place when an employee departs, which must include disabling all access to the company’s system.
Over 70% of IP theft cases committed by internal people took place within 30 days of them announcing their resignation.
This shows the need to act immediately when an employee departs. It’s also critical to use IT solutions to determine whether former employees took any proprietary information while still working for the company.
Techniques targeted at users—like malware, phishing, and misuse of credentials—are major vulnerabilities. In particular, phishing techniques have become much more sophisticated, often targeting specific individuals (spear phishing) and using tactics that are harder for IT to control. For example, now that people are suspicious of email, phishers are using phone calls and social networking.
Companies need to make sure that they educate their employees regarding the various techniques used to steal information. Consider bringing in an outside expert to speak to your employees.
66% of the breaches in our 2013 report took months or even years to discover (62% months, 4% years). . . . 69% of breaches were spotted by an external party.
Here, the report offers good advice, when it says “Companies should devote more time and effort to detection and remediation; preventing attacks becoming breaches, and breaches becoming financial and reputational disasters.” Again, companies need to use IT solutions to periodically audit for potential data breaches.
In the end, it is very important that companies of all sizes speak with the appropriate professionals to make sure they are taking all necessary steps to protect themselves from this growing threat.