Verizon released its annual Data Breach Investigations Report this week. The first thing I read when I opened up the report was a fabulous quote from page 48:
Some organizations will be a target regardless of what they do, but most become a target because of what they do. If your organization is indeed a target of choice, understand as much as you can about what your opponent is likely to do and how far they are willing to go.
I’m seriously thinking about making that a tagline on my email signature. It is a great comment, and very true in today’s security landscape. But it is also insight into what Verizon discovered in this year’s report.
One thing discovered is that too many companies don’t have the right tools in place to protect themselves from data breaches. That means it often takes too long after the fact to discover a breach has occurred. In fact, 66 percent of the compromised incidents took months or more to discover, up from 55 percent in 2011 and 41 percent in 2010.
According Jim Butterworth, CSO at HBGary, the fact that this number is increasing is no surprise. People are still using antiquated indicators or signature-based solutions to find tomorrow’s threat, and we know that cyber criminals are almost always one step ahead. As Butterworth said to me:
The attackers are creating malware using custom code that can’t be detected by IOCs or anti-virus. Targeted attacks are not like a computer virus that can be handled like a cyberhousekeeping duty. Instead, organizations need to invest in technology, people and processes to respond quickly to these types of threats.
This is a critical situation, HyTrust president and founder, Eric Chiu, told me in an email, and I agree with him. And it is only going to get worse as more computing turns to the cloud and away from traditional networks.
So what can be done for improved breach control? The recommendations from Verizon are the same things said year in and year out: create better passwords, don’t fall for spearphishing, improve malware defenses, implement better security controls on hardware and software. Verizon provides a long list of recommendations at the end of the report. In the end, the number of steps taken by the company will dictate whether it is a target of chance or a target of choice.