A couple of weeks ago the Verizon RISK Team published the 2012 Data Breach Investigations Report. While it is a treasure trove of security and incident related information it is far too vast to give it a thorough review in this blog post but there are some interesting data points to mention. They definitely had more help this year from around the world to investigate the 855 incidents which resulted in 174 million compromised records. That’s quite a jump from last year when only 4 million records were lost.
The vast majority (98%) of the attacks stemmed from external agents and they relied mainly on hacking (81%) and malware (69%) to get the job done. Methods involving physical attacks and social engineering were down this year in comparison to last year. It’s definitely easier to download the tools they need than to spend the time doing reconnaissance in person or over the phone (and just when I thought we were becoming more social). Some of the most eye opening statistics were in the areas that we have known about for years; attackers are lazy they would much rather exploit known problems (79% of the time) than discover new vulnerabilities and frankly who can blame them, if the door is left open it must mean they want us to enter and these attacks are not highly sophisticated (96% were not difficult) either. One other piece of information I found interesting was that 96% of the victims that are subject to PCI DSS compliance were not compliant. I liked the fact that they broke down the data between small shops and large enterprises and at the end of the report they had a section you can cut out and take with you to your favorite retailers. It basically says, ‘I care about your business and I’d like you to do something so you can avoid unnecessary costs, lost productivity and my personal information getting sold in the black market’. So please read this and do your part to keep your customers data safe.
I’ll definitely print out a stack of these ‘tip sheets’ and bring them with me this year while I support my local establishments. We all can do our part to keep personal data and credit card information off the streets and from us becoming the 1%. Well I'm sure the number is greater (unfortunatley) than that but I couldn't resist one Occupy reference.