A Year in Review: The State of Cybersecurity
In early April, computer security firm Symantec released its annual Internet Security Threat Report, one of the most comprehensive sources of Internet threat data in the world. Symantec crowned 2013 “the year of the mega breach,” as data breaches grew by 62% compared to 2012, with eight of the breaches each exposing the data of more than 10 million people. Summed up, approximately 552 million identities were either accidentally or maliciously released.
The findings illustrate that although end-users are getting much better at detecting malicious activity, hackers’ tools and techniques have also improved, and they still hold the advantage in the battle to protect our data. To illustrate this point, the growth in the number of newly discovered Zero-day vulnerabilities suggests that hackers have taken the time to find new weaknesses and vulnerabilities in software on the Internet. Zero-day vulnerabilities are security holes in programs that do not require user-interaction, unlike phishing attacks, where user input is required to gain access to passwords or other personal information.
Another new hacking technique dubbed by Symantec as a ‘watering-hole’ exploit, in which an attacker runs through a three-stage process to target a particular group by infecting a website the attacker suspects the group frequently uses. In the event that users visit the site, their computers fall prey to malicious malware, which then places key assets of the targeted group under the control of the attacker. As the report notes, the watering-hole tactic was employed far more often than simpler phishing attacks against large firms. Symantec analysts have pointed out that similar attacks have taken a very strategic turn in terms of scope and planning. Attacks grew by 91%, and government assets outpaced manufacturing and finance as the most targeted. Other assets remain similarly insecure, with one in eight sites exposed to critical vulnerabilities.
Despite hackers’ increasing sophistication, many data breaches could have been prevented. Hackers accounted for 34% of the data breaches, but data accidentally made public still totaled 29% of overall breaches. Theft or loss of data amounted to 27%. Larger companies have amped up protocols for data storage and transfer, but the main reason accidental data release continues to rank highly is that hackers have shifted targets, focusing on smaller to medium sized businesses that may not have systematic data security procedures in place like stronger passwords, end-to-end encryption, and better identity access management with features like two-factor authentication. Without such procedures, data breaches become much more frequent and costly. For US companies, the cost of each breached record on average is approximately $188.
Governments have a role to play in supporting the development of industry-led, best practice standards on a transnational level, since cybersecurity is a concern that moves beyond borders. Bottom-up standards development allows for fast responses to rapidly changing consumer preferences and threats. Finally, end-users have a responsibility to be aware of the sites to which they entrust data, but companies also have an obligation to keep data secure, and there is still significant work to be done in theft prevention and enforcement of data collection standards. Cybersecurity is not exclusive to companies. It involves consumers, businesses and government working together on risk awareness and mitigation.