Many organisations are improving internal efficiency as they introduce Internet security response services as part of 'defence in depth' strategies to fight the exploding cybercrime threat, a Symantec managed security services expert has reported as the company's latest cybercrime report analysed a surge in 'mega breaches' during 2013.
The company's latest Internet Security Threat Report (ISTR) found that cyber-criminals were scheming more and becoming increasingly effective at siphoning large quantities of information from their target organisations. That led to a 62 percent increase in the number of data breaches in 2013 compared to 2012, with information on 552 million identities exposed.
That figure corroborated the attack volumes posted by the SafeNet Breach Level Index, a recently-launched catalogue of individual security incidents that currently reports some 760 million records have been lost through 2013 and 2014 to date.
The ISTR's figures included eight mega breaches, which are classified as incidents in which tens of millions of records were compromised; in 2012, by contrast, only one incident was that large.
Symantec's analysis attributed much of this success to attackers' shift from large-scale spam attacks – which dropped to 66 percent of all email traffic during 2013 – to careful targeting of individuals with often personalised malware payloads that are sometimes combined with social-engineering nous, such as a follow-up phone call purportedly to confirm receipt of the previous email.
Targeted campaigns were up 91 percent during 2013 compared with the previous year, according to the ISTR findings.
“These targeted attacks are becoming more stealthy, sophisticated, and persistent in their activity,” Peter Sparkes, Asia Pacific & Japan director for managed security services with Symantec, told CSO Australia.
“They're becoming low and slow, and the number of days they last has increased to around 8 days per targeted attack. A lot of times, they're using small businesses as a stepping stone to access larger businesses. They're also targeting individuals because information about them is readily accessible, and they're quite easy to find and target.”
The threat has been compounded by the explosion in mobile usage, which allows cyber-criminals to target employees outside the range of internal security controls; some 38 percent of mobile users experienced mobile cybercrime in the past 12 months, according to ISTR figures.
This fact is leading many companies – small companies in particular – to find that they lack the internal processes to support employees in learning about and intercepting attempts to compromise their security.
While there has been a broad range of responses to the growing cybercrime threat, those companies likely to be most successful will be those that take the time to set up formal support processes to ensure staff can function most effectively.
“Organisations are looking at not just prevention technologies as being the way to help them get secure,” Sparkes said. “We're seeing a lot of organisations look at defence in depth strategies – at really rapidly improving their Internet response. There's a lot of effort by companies trying to get a single viewpoint of their security monitoring and detection systems.”
That kind of improved operational visibility can have follow-on benefits for organisations in becoming more responsive to all sorts of operational challenges as they arise, Sparkes added.
“We've seen a lot of these breaches where companies have done well; in fact, some companies have actually expanded their business by having very good incident response capabilities. And, when I talk about incident response, I don't just mean IT incident response – I mean a whole of organisation response.”
Given that the tide of malicious attacks continues to rise quickly – delivering ISTR results that Sparkes says didn't offer “any real surprises” – many companies “took our eye of the ball that all these mega breaches were occurring,” Sparkes continued.
That obscured the visibility of ongoing vulnerabilities, with 1 in 8 Web sites having a critical vulnerability despite years of trying to reinforce a culture of continuous updates. That issue has recently come to the fore as Heartbleed, a high-profile vulnerability that shocked the security community to action this week for its widespread nature, saw organisations of all sizes rushing to update the common-used OpenSSL application and hackers rushing to beat them to it.
Such attacks “reinforced the need for companies to not just put all their money into prevention techniques, but to have an overall prevention strategy with regard to security,” Sparkes said. “Protecting your Web sites and patching are still critical for an organisation, but even simple things like educating users and basic security protocols are still very important.”