Many organizations can better protect themselves from hackers by implementing more straightforward, basic security measures, according to a recently released annual report from Verizon. Many smaller organizations could significantly strengthen their IT security by using stronger passwords, for example.
One conclusion from the study, which looked at 855 data breaches that included 174 million stolen records, is that hackers’ methods may be less sophisticated than some people think. Ninety-six percent of attacks were “not highly difficult,” according to the report, and did not require organizations “to resort to difficult or expensive countermeasures.”
Adversaries “are not being forced to change their tactics very much,” said Jay Jacobs, a principal on Verizon’s RISK Intelligence team, in an interview. Hackers are using “the same kinds of attacks over and over again.” The report did find, however that once attackers penetrated an organization’s firewall, more sophistication was then required for activities including siphoning information back to hackers.
The study, the 2012 Data Breach Investigations Report, showed that, similar to the last few years, hackers are frequently using automated methods to conduct attacks.
The study also found that there was a significant increase last year in attacks committed by those with social or political goals, or hacktivists. In 2011, 58 percent of data stolen was attributed to attacks with political or social motives, according to the report. In past years, the overwhelming majority of attacks were driven by financial motives.
Data for the study came from Verizon clients and also from report partners including the United States Secret Service as well as law enforcement agencies from the United Kingdom, the Netherlands, Ireland, and Australia. The study is not an accurate sample of all data breaches, for reasons including the fact that many attacks are not reported or detected. Due partly to the amount of data studied, however, Verizon’s report is a relatively good indicator of hacking trends.
One notable conclusion this year was that smaller organizations are far more likely than larger ones to choose easily guessable passwords or to leave default passwords on devices and machines, according to Jacobs. In addition to strengthening passwords, another important step for smaller organizations to take is to ensure they use a firewall, according to the report.
Some primary steps larger organizations can take include eliminating unnecessary data and monitoring important data that needs to be kept. Larger organizations should also be sure to establish essential security controls and to prioritize their security strategies.
The report also suggests that more organizations could benefit from event logging solutions, which can be particularly helpful in detecting attacks. In more than 90 percent of cases, successful attacks were detected by a third party, such as a law enforcement official, according to the report.
♦ Photo by s. reveal/Flickr