Verizon’s latest investigation into data breach incidents in 2015 makes an important revelation. It seems that cyber-criminals join business in seeking a good ROI on their efforts!
- Why your data may be a valuable target for cyber-attacks.
- A reminder for all that more than ever before, money invested cyber-security that does not rank as ‘high-assurance’, is likely wasted money.
- Consider the mix of your business vertical, data volumes and use of networks to see how big a target your business may be.
As CSO’s author states: “Cybercriminals care most about ROI, so make yourself expensive to hack.” The report’s revelation suggests where organised cyber-criminals discover high quality data protection, that acts as a strong deterrent – they move on and attack systems that are not so well protected.
This same thinking was revealed some years ago when cases for more robust national defences against cyber-crime were discussed. The theory was: “The stronger the defences, the more likely cyber-criminals will move on to focus in other countries with weaker data security defences.”
Where the Verizon report differs is in how its analyses of data breach incidents and attacks have revealed a fact base that should make enterprise and government organisations take notice.
Ultimately one thing is for sure; data security can no longer be treated as a “tick the box” decision or a “near enough is good enough” approach.
By David Braue 04 May 2016
Cybercriminals care most about ROI, so make yourself expensive to hack: Verizon
High-profile companies will always be singled out by cybercriminals but the majority of businesses find themselves in the spear-phisher’s sights due to simple economics – and one security expert argues that they can save themselves by becoming too expensive to bother with.
“Criminals are seeking easier ways to make money, and they need to have a very high return their investment,” Ashish Thapar, managing principal for investigative response with Verizon Enterprise Services, told CSO Australia as the company dropped its latest annual Data Breach Investigations Report (DBIR).
“If defenders can increase the cost to the attackers, they can defend themselves very well,” Thapar explained, recommending that businesses create layered security controls as an evolution of conventional perimeter-based defences.
“From an enterprise perspective, if you can really take hold of your controls and protect your most important golden nuggets, you can at last – if not win the game – can defend the game to some extent.”
Thapar’s conclusion comes on the back of a significant expansion in the coverage of the latest DBIR, which is based on analysis of more than 100,000 incidents from 82 countries – up substantially from the previous year’s report.
Senetas High-Assurance Security Comments
One of the most significant conclusions drawn from the Verizon research comes from the reports author, David Baune
“The figures showed small retailers, large public-sector organisations, large financial-services providers and small hospitality companies as suffering notable volumes of data-loss incidents throughout 2015 – which was ‘unsurprising’ to the report’s authors as they process information which is highly desirable to financially motivated criminals.”
Public-sector organisation and financial services providers have an undeniable duty of care to stakeholders that any data they hold pertaining to stakeholders (customers, suppliers, staff, shareholders etc.) is sensitive. And there is a reasonable presumption that all confidentiality and related protections will be provided to all stakeholders and their data.
In an era of remarkable encryption technologies, there is no excuse for unauthorised data access and breaches. Whatever the breach, the data stolen should be encrypted so that it is useless to any successful unauthorised party.
Equally important is the report’s emphasis on cyber-criminals’ ROI motivation. It is a fair conclusion to draw that when cyber-criminals hit on an organisation with first class defences, they are more likely to move on for easier ‘pickings’.
This is why organisations that genuinely take data security seriously only invest in high-assurance protection technologies – such as high-assurance encryption of both data in motion across networks and for data at rest.
Today, encryption solutions that do not qualify as high-assurance do not have a place in government and enterprise data networks’ security. Firstly, the devices are not considered to be secure; secondly, there are other weaknesses.
Too often we see revelations of security vulnerabilities in such low-assurance encryption products.
Further Reading: High-assurance network encryption.
Click here to read “Ethernet Encryptors for Metro and Carrier Networks: An Introduction (Version 6)”, by Christoph Jaggi (Switzerland).
Christoph Jaggi is considered the leading international expert in data networks’ encryption security. This document is his most recent guide for all organisations seeking the optimal solution for their security, business and networks’ requirements.