On April 22 Verizon released its 2013 Data Breach Investigations Report (DBIR), which has since 2008 become a leading annual survey of data breaches, with participants across the globe. The 2013 DBIR reports on the analysis of more than 47,000 different security incidents, including 621 confirmed data breaches. As the report makes clear, data breaches affect government entities and companies of all sizes across a range of industries, and involve perpetrators of varying degrees of sophistication and with different motives. There is no one-size-fits-all solution to the problem, but understanding where the vulnerabilities lie will help companies prevent data breaches in the first place and respond more quickly and effectively when breaches do occur.
The DBIR should also be a reminder for companies to review their insurance coverage on a regular basis. While cyber attacks may or may not be covered by traditional commercial general liability policies, specialized coverage is available. Firms considering the purchase of a policy intended to cover cyber liability should review the proposed policies carefully to be sure that the policy provides coverage for the risks the insured seeks to manage. McGuireWoods’ Insurance Recovery team can help you assess the specific coverages you need to protect your business in the event of a cyber attack.
Some highlights from the 2013 DBIR:
- Who are the attackers? The DBIR classifies perpetrators into three groups – activists, criminals and spies – with each group seeking different data and using different methods. While activists use basic hacking methods and aim to cause disruption and embarrassment, criminals tend to be somewhat more sophisticated and are motivated by financial gain. State-affiliated perpetrators accounted for the 19 percent of those analyzed by the DBIR and tend to employ the most sophisticated methods in search of targeted high-value information such as intellectual property or financial data.
- How often are insiders involved in an attack? Surprisingly, not very often. In 86 percent of the breaches analyzed in the DBIR, employees or other insiders were not involved at all. In 50 percent of cases with insider involvement, former employees exploited old accounts or “backdoor” access methods that had not been disabled, with the large majority (70 percent) of such incidents taking place within 30 days of separation from employment.
- How do perpetrators choose targets? Attacks were opportunistic and not targeted at specific individuals or companies at all in 75 percent of the breaches analyzed. No industry is immune.
- What assets are most vulnerable? Traditional assets such as ATMs (30 percent of attacks), desktops (25 percent), laptops (22 percent) and file servers (22 percent) are most at risk. Unapproved hardware such as personal storage devices accounted for 41 percent of reported cases of data misuse.
- What methods do perpetrators use? In these attacks, 78 percent employed techniques classified as “very low” or “low” difficulty, requiring only basic skills and little or no customization or resources. Phishing, misuse of credentials, malware and other techniques targeted at users are among the most common methods of attack. Less than 1 percent of data breaches involved techniques considered to be of “high” difficulty.
- Who identifies data breaches? Of the data breaches studied, 69 percent were first identified by an external party. More than half of the internally identified breaches were spotted first by end users, not IT personnel. Customers first identified 9 percent of data breaches.
- How quickly are breaches discovered? Although in 84 percent of the cases studied the initial compromise took hours or less, 66 percent of breaches took months or years to discover. That is up from 56 percent of breaches studied in the 2012 DBIR.
The DBIR provides eight recommendations to minimize the risks of data breaches and to respond quickly and effectively when breaches do occur:
- Eliminate unnecessary data; keep tabs on what’s left.
- Perform regular checks to ensure that essential controls are met.
- Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness.
- Collect, analyze and share tactical threat intelligence, especially indicators of compromise (IOCs), that can greatly assist defense and detection.
- Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes and technology.
- Regularly measure things like “number of compromised systems” and “mean time to detection” and use these number to drive better practices.
- Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a “one-size-fits-all” approach to security.
- Don’t underestimate the tenacity of your adversaries, especially espionage-driven attackers, or the power of the intelligence and tools at your disposal.
For more information, please contact either of the authors, L. D. Simmons and Joshua Davey, or any other member of the McGuireWood’s insurance recovery team.