Verizon Report Finds SMBs at Greater Risk for Data Breaches
By Tony Kontzer
The recent breaches at RSA, Epsilon and the Texas state comptroller's office notwithstanding, big-company IT security execs may have something to celebrate. Conversely, overtaxed IT crews at small and medium-sized companies may want to brace themselves.
Verizon this week released the findings of its annual Data Breach Investigations Report, and the numbers imply mixed messages depending on the size of a business. While Verizon, with help from the U.S. Secret Service and Dutch High-Tech Crime Unit, investigated 761 breaches, more than five times the number it investigated in 2009 and by far the most in the report's seven-year history, it also saw an eye-popping drop in the number of actual records breached--from 360 million in 2008 and 144 million in 2009 to just 3.8 million in 2010.
There are a lot of possible reasons for this. Better coordination between private industry and law enforcement may be resulting in quicker recognition of--and response to--breaches. Improved security tools might be doing a better job of alerting companies to breaches-in-progress. Perhaps IT security staffs are being more diligent it their network sniffing activities.
But the more reasonable interpretation is the one offered by Christopher Porter, principal of Verizon's risk and intelligence team--namely, that cyber criminals are attacking smaller companies because of the lower risk, seemingly content to make off with smaller, more targeted batches of credit card numbers and the like in exchange for the decreased odds of getting caught. In other words, they needed more breaches to steal fewer records, and they were willing to do so because they were dealing with relative IT security newbies.
The uptick is that big-name companies found themselves waking up to reports of missing customer data much less frequently than in past years, which might have been welcome news if not on the heels of the RSA, Epsilon and Texas breaches. But the news is not good for SMBs, who suddenly find themselves in need of the kind of IT security previously reserved for larger companies. And a few high-profile breaches aren't going to change that--the cyber criminals have figured something out, and they're not going to back off that easy.
That said, there are a few simple steps Porter says SMBs can take to greatly reduce their exposure:
-Make sure to change the default access control settings in any applications containing sensitive data. Verizon's investigation found that two-thirds of all breaches in 2010 were exploitations of default application credentials.
-Be consistent about monitoring logs and validating that nothing suspicious is going on. According to Verizon's findings, 86 percent of 2010's breaches were discovered by a third party such as a fraud detection service, a customer or law enforcement, meaning the company's security staff completely missed the earlier indicators. In fact, in 70% of those cases, there was log data available that would have identified the breach.
-It may sound simplistic, but get rid of unneeded data. Most organizations tend to save too much information, and this is especially true in smaller organizations that aren't likely to have sophisticated data-management policies and procedures. Cautions Porter: "If you don't store it, then it can't be stolen."