Joe Schumacher, security consultant at Neohapsis, noted that enterprises should be concerned that the internal discovery of breaches has been on a slow and steady decline. At the same time, there’s a widening gap between the time to compromise and time to discover breaches. About 75% of attacks took the hackers just days or less (hours and minutes, even) to accomplish. Yet only 25% of compromises were discovered within days or less. Most often, it takes weeks or even months until a security event is uncovered.
Schumacher noted that this underscores that breaches are happening more and more from the inside where attackers are using stolen credentials, and once on the network, are almost impossible to detect. In addition, the report shows an increase in insider espionage targeting internal data and trade secrets, with the most common threat being privilege misuse and the most common attack vector being corporate LAN.
“This is quite troublesome as technologies exists to help an organization with such identifications and leads me to believe that a failed human component could be at fault,” he said. “Organizations should have resources as well as procedures defined for monitoring, logging and following up on triggered alerts. In addition, depending on size and/or industry, a company should consider proactively monitoring different communication feeds, public repository and/or forums for threats and/or data dumps.”
The report also focuses on specific vertical characteristics. And for one, shows that data theft and loss for healthcare is seen in 46% of all security incidents in the healthcare sector—pointing out a critical risk. “This stat is very worrisome as healthcare has a lot of regulated and/or sensitive data,” Schumacher said. “While this particular chart provides a lot of informative data per industry, I would stress that an organization should not look strictly at their industry. An organization’s security personnel should assess their environment(s) against applicable top patterns being exploited across all industries.”
Overall, across all verticals, the DBIR underscores that enterprises should be considering what to do when, not if, a security incident occurs.
“As we see in the report, everyone is vulnerable to some type of security incident, whether external attacks or insider misuse and errors that harm systems and expose data,” said Eric Chiu, president and co-founder at HyTrust. “The No. 1 threat method was stolen user credentials.”
He added, “This report, combined with major breaches such as Target, Michaels, Adobe and Edward Snowden, should be a wakeup call to every organization to re-think security from an 'inside-out' model and assume the bad guy is already on the network,” Chiu said. “Companies need to implement access controls, role-based monitoring and data encryption to ensure that critical systems and sensitive data are protected.”
As all information security professionals know, that’s easier said than done. “We know what to do in order to defend against attacks, but doing it and maintaining control in the face of complexity and business requirements is still a challenge,” said Steve Hultquist, CIO and vice president of customer success at RedSeal Networks. “The increasing capabilities of network infrastructure and systems means businesses likewise need to continue to increase the capabilities (and thus complexity) of their information security technologies. As a result, automation is key and will continue to be more so in the future—especially in areas such as audit, analytics and reporting. This is critical in eliminating or mitigating security breaches.”
Overall, the consensus is that the report should act as a wake-up call that existing security approaches must evolve—and quickly—in order to keep up with the escalating scale and complexity of the attack landscape.
"Another year, another increase in hacks,” said Scott Goldman, CEO of TextPower. “Verizon's 2014 annual data breach report shows us that current security measures are either not sufficiently widespread or are too complicated, expensive or user-unfriendly for websites to implement. And, as they correctly point out, using just passwords for protection is useless. In fact, it's like closing your front door but leaving it unlocked. It's bad enough that hackers get in through back doors and poor security - using a single-factor authentication process is like laying out a red carpet for them. Any website that doesn't use some form of ‘out-of-band’ authentication - meaning outside of the web browser - is adding an engraved invitation to go along with the red carpet. Websites will either get smart, get secure or get hacked."