Today I am reading the incident and compromise report for 2010 by Verizon and the US Secret Service. It’s a good read if you are in my business. It gives me the pulse of what the bad guys are attacking and let’s me know if we’re doing the right thing to try to keep our clients out of harms way.
The good news is that in 2010 the incident of compromised data is down. But the bad news is rather dramatic.
Of all of the cases that they evaluated in 2010 a HUGE percentage of the data attacks occurred on small businesses. So why is this?
It’s the same old thing with crime, whether physical or virtual. The solution is simply don’t be an easy target. This says that far too many small businesses are leaving themselves unprotected but also that getting out of harms way isn’t difficult. The marketplace for crime in small business is wide open, so if you’re the company with a quality firewall, update to date anti-virus software, good acceptable use policies for the Internet and are filtering spam – you are not the low hanging fruit and the criminals will go elsewhere. But if you don’t have locks on the doors the criminals will walk in your door.
What are they looking for? When a cyber-criminal robs you they don’t ransack the place. They try to leave it as clean and untouched as when you left it so you won’t even notice that they’ve been there. There are two important statistics here.
Less data was stolen from servers. Why? Because not all data resides on servers anymore. A lot of data now resides on laptops, netbooks, phones and ipad type slates. Its easier to steal from those locations than it is from your server, so guess where crime has shifted to?
Most data thefts were not discovered by the business whose data was stolen and this is up by 25%. That means the bad guys are getting better at what they do. They are more adept at getting what they want without breaking anything in the process. The thefts are generally reported by consumers or business associates. They are the ones that end up with the stolen identity or the confidential business process that suddenly everyone knows how to build. They are the ones that suffer.
So what does the report recommend besides don’t be an easy target?
Notice the word mitigation in the title of this figure. It is about mitigation. The bad guys are smart and they change tactics frequently. Security can’t be guaranteed but you can move yourself from harms way. The first item is a big one for many of our clients. We know most of you take our advice when it comes to security efforts, but few take our advice when it comes to data storage. Data archiving is a form of data protection. If there is one item that we should discuss with you beyond our usual recommendations it is this.
If you’d like to read the report for yourself, you can find it at http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf