View this webinar to learn what compliance regulations (PCI DSS, HIPAA, FFIEC, etc.) say about data protection.
Data breaches happen all the time and we do what we can to prevent that, still cyber crimes are on the rise. Verizon Business Data Breach Investigations Report for 2012 counts as many as 174 million records compromised that year. Verizon compiles the 2012 report with data collected in 2011. You can find the full report here, but I'm going to summarize just a few of the highlights.
- 98% stemmed from external agents, meaning one way or another, cyber criminals gained access to systems storing sensitive data and compromised them.
- 81% used some form of hacking, in many cases in conjunction with malware.
- The statistic that hits home hardest, 96% of victims subject to PCI DSS had not achieved compliance at the time of the breach.
That is really hard to palate because here at Townsend Security we work so hard to spread the word about the importance of merchants being PCI DSS compliant. It's not just about appeasing the auditors or passing an Annual Self-Assessment Questionnaire, it's about protecting everyone's sensitive personal information. These are our credit card numbers that are being stolen, our dates of birth, social security numbers, and a myriad of other information criminals can use to their gain, and our fault. The report lists that 48% of data compromised was payment card data, like credit card numbers.
According to the report from the 855 incidents recorded, 54% of companies affected by that year's data breaches were in Accommodation and Food Services, 20% were Retail Trade, and 10% Finance and Insurance fields. And it's not just companies in the US that are affected, in 2011 data breaches were reported in as many as 36 countries worldwide.
And as if all this information wasn't already scary enough, apparently as many as 55% of data breaches remained undiscovered for months or longer. And the majority of data breaches are discovered by external parties; meaning that the companies experiencing the data breach end up learning about it from someone else, causing bad publicity and damage to the company's reputation.
This report did not talk about the cost experienced by companies or consumers as an effect of these data breaches, however Symantec took the time to compile those numbers for 2011 and in September of 2011 extrapolated the costs over the 12 months that year to $144 Billion in cost. Obviously this has become a very lucrative business for cyber criminals and it's not surprising why they expend so much effort on their endeavors.
The Verizon Business report has one more piece of information worth sharing - their recommendations. Implementing sound security policies around system credentials, like using strong passphrases and changing them on a regular basis, as well as ensuring essential controls on data are met, like encrypting sensitive data and using recommended encryption key management practices like separation of duties and encryption key storage. Especially for larger organizations, monitoring and mining event logs is recommended to aid in discovering active data breaches quickly and internally.
A new report should be published soon and although there has been a lot of attention on these subjects in 2012, the trends in the past have been an increase in data breaches, rather than a decrease. However, knowledge is power, and we have a lot of knowledge for you. Empower yourself and your company by reading some of our white papers on encryption, logging, and data security.