“Cybersecurity threats are increasing as quickly as businesses can implement measures against them. At the same time, businesses must embrace virtualization and cloud, user mobility and heterogeneous platforms and devices,” Trustwave noted in the executive summary of its 2013 Global Security Report. “They also have to find ways to handle and protect exploding volumes of sensitive data.”
When it comes to who is most at risk, Trustwave uncovered that retail businesses and their sensitive data are back in the crosshairs in a major way. For the first time in three years, the retail industry made up the highest percentage of data-breach investigations, accounting for almost half (45%). Food and drink (24%) industries came in second, with hospitality rounding out the top three (9%).
Where should companies focus their defense efforts? The report found that web applications have emerged as the most popular attack vector for data siphoning. E-commerce sites were the No. 1 targeted asset, accounting for 48% of all investigations. Even so, for many, basic security measures are still not in place. “Password1” is still the most common password used by global businesses. Of three million user passwords analyzed by Trustwave, 50% of users are using the bare minimum.
Social engineering remains a big part of the infection puzzle as well. Trustwave found that even though spam volume is declining, the impact on business is not. Spam volume shrank in 2012 to a level lower than it was in 2007, but spam still represents 75.2% of a typical organization’s inbound email. Most importantly, Trustwave found nearly 10% of spam messages to be malicious.
And then there’s mobility. As organizations embrace mobility, mobile malware continues to be a problem for Android, with the number of samples in Trustwave’s collection growing 400% in 2012.
Amid all of this is the fact that corporate IT departments are overwhelmed. More responsibility now falls onto security staff to stay on top of zero-day attacks, for instance, because software developers vary greatly in their ability to respond and patch zero-day vulnerabilities. In this study, the Linux platform had the worst response time, with almost three years on average from initial vulnerability to patch.
So, many are embracing an outsourced IT operations model. This too presents big issues: in 63% of incident response investigations, a major component of IT support was outsourced to a third party. Outsourcing can help businesses gain effective, cost-friendly IT services; however, businesses need to understand the risk their vendors may introduce and proactively work to decrease that risk, Trustwave noted.
It’s no wonder then that businesses are slow to “self-detect” breach activity. Trustwave found that the average time from initial breach to detection was 210 days, more than 35 days longer than in 2011. Most victim organizations (64%) took more than 90 days to detect the intrusion, while 5% took a staggering three or more years to identify the criminal activity.
“The combination of business and IT transformation, compliance and governance demands and the onslaught of security threats continues to make the job of safeguarding data assets a serious challenge for organizations of all types – from multinational corporations to independent merchants to government entities,” noted Trustwave.
Bottom line? IT departments may be overtaxed, but the very real threat of data breach activity should compel businesses to do something about it.