Data breaches are on the rise, with the number of global data breaches reaching 2,644 last year, more than doubling the number of incidents in 2011. The retail industry is now the top target for cybercriminals, accounting for 45% of security firm Trustwave’s data breach investigations last year (a 15% increase from 2011).
Overall in 2012, nearly every industry, country and type of data was involved in a breach of some kind, research shows.
“Businesses should take a step back and re-evaluate their security posture,” said Robert McCullen, chairman, CEO and president of Trustwave. “All developers, particularly in the e-commerce industry, should implement a full lifecycle security plan that includes thoroughly educating themselves and their employees, equipping themselves with the best tools to protect against attacks and making sure they are using the most reliable resources for zero-day detection.”
Unfortunately, the report found there is still a long way to go when it comes to implementing best security practices. Employees themselves are often to blame: they pick weak passwords, click on phishing links and share company information on social and public platforms.
For instance, out of three million user passwords analyzed, 50% of business users are still employing easily guessed passwords – the most common being “Password1.”
Most victim organizations still rely on third parties, customers, law enforcement or a regulatory body to notify them a breach has occurred – a worldwide security problem, Trustwave pointed out. In particular, businesses seem to be rapidly adopting an outsourced, third-party information technology operations model. A majority (63%) of investigations revealed a third party responsible for system support, development or maintenance, introduced security deficiencies easily exploited by hackers.
Worse, most organizations don’t even know that they’ve been hacked when it first happens. About 64% of organizations attacked took more than 90 days to detect an intrusion, with the average time for detection being 210 days – 35 days longer than in 2011. Five percent took more than three years to identify the criminal activity.
“Cybercriminals will never stop trying to compromise systems to obtain valuable information such as customer and private user data, corporate trade secrets and payment card information,” added McCullen. “This year’s Global Security Report pulls back the curtain revealing how breaches happen and how potential victims around the world can protect themselves so that they stay one step ahead and eliminate potential security threats. After reading this report, businesses and government agencies will be one step closer to building a comprehensive security strategy to reduce risk, protect data and safeguard their reputation.”
Trustwave analyzed 450 global data breach investigations, more than 2,500 penetration tests, nine million web application attacks, two million network and vulnerability scans, five million malicious websites, and 20 billion e-mails, as well as extensive research and analysis of zero-day security threats to identify key trends in the threat landscape.
