Poor breach detection makes firms easy pickings for hackers

Hackers are continuing to be both as active and as effective as many companies fear

Food and beverage-industry companies are the top target for cybercriminals – but even they are waiting up to six months before they know they've been hit, security consultancy Trustwave has warned in the latest of a string of industry security surveys that confirms hackers are continuing to be both as active and as effective as many companies fear.

Working through summaries of activity by its ethical hacking arm, SpiderLabs, Trustwave found that franchise businesses accounted for more than a third of the group's investigations during 2011. This may be because their independent status makes them a perceived softer target for thieves keen on pilfering poorly-secured customer data – which was the target in 89 percent of attacks.

Franchises tend to use the same IT systems across stores, which allows hackers to capitalise upon economies of scale to attack many businesses with discrete customer records. Furthermore, in the highlighted food and beverage industry – read: hotels and restaurants – customer data is often collected and stored in a relatively haphazard way that's frequently tied to point-of-sale terminals and stored in isolation.

"Any organisation can be a target," says Trustwave SpiderLabs head Nicholas Percoco. "Those most susceptible are businesses that maintain customer records or that consumers frequent most."

Stunningly, SpiderLabs' analysis showed dismal rates of detection of security breaches during 2011: only 16 percent of compromised organisations were able to detect the breach, with the remaining 84 percent unaware until they were approach by an outside law enforcement, regulatory or consumer interest. Even when that happened, it took an average of 173.5 days – just under six months – before the attack was even detected.

There was a silver lining, however: of those companies that were contacted to inform them they had been breached, the notifying authority was a policy body in 33 percent of organisations – compared to just 7 percent in 2010. That suggests recent intensification of police efforts around hacking are paying off, with the Australian Federal Police mentioned alongside Interpol and equivalent police-driven organisations in the US and UK.

It's not enough to count on the police to come knocking after you've been hacked, however: Trustwave points out the importance of companies getting more proactive about their security practices – with employee education, identification of users, homogenisation of hardware and software, creation of asset registries, unification of activity logs and visualisation of security events all named as important security best practices and recommended strategic focuses during 2012.

Recommending an improved security profile is one thing, but actually delivering it is another, as every company knows. Outside of the rarefied heights of security-vendor analysis and surveys, strictures on IT funding is preventing many organisations from implementing comprehensive or effective enough change to address these issues.

In a recent report from the American National Standards Institute found, 60 percent of surveyed executives blamed inefficient funding for the ongoing plague of security breaches of health-related information, which research firm Ponemon Institute said jumped 32 percent last year; half of respondents said time was the limiting factor. Healthcare providers and related companies have, Bloomberg reports, said they need to boost cybersecurity spending from $US23 million per year to around $US155 million in order to stop 95 percent of attacks – which numbered 385 incidents affecting 10 million Americans between 2009 and 2011, according to Department of Health and Human Services figures.

Similar requirements are being seen across a broad range of industries, with Tufin Technologies recently reporting that proposed changes to the European Union's data protection legislation would force them to take a good long look at their security policies and technology, with 27 percent reporting they have increased security budgets as a result.

Join the CSO newsletter!

Error: Please check your email address.

More about Australian Federal PoliceBloombergDepartment of HealthFederal PoliceInterpolTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts