New Report Says PCI Not a Great Deterrent but Better Than the Rest
"The compromise of sensitive information increased dramatically in 2008, and it's past time to be vigilant about enterprise security," said Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions.
"This report should serve as another wake-up call that good security and a proactive approach are paramount to running a business in this day and age, particularly since the economic crisis is likely to trigger a further increase in criminal activity," Tippett added.
Verizon Business produced the "2009 Data Breach Investigations Report," the second of its type so far. The report found that the financial sector accounted for 93% of all such records compromised in 2008, and a "staggering" 90% of these records involved groups identified as engaged in organized crime.
Similar to the first study's findings, the study found that sophisticated attacks account for only 17% of breaches. However, these relatively few cases accounted for 95% of the total records breached-proving that motivated hackers know where and what to target.
Verizon Business investigative experts found that nearly nine out of 10 breaches were considered avoidable if security basics had been followed and most of the breaches investigated did not require difficult or expensive preventive controls. The 2009 report concluded that mistakes and oversight failures hindered security efforts more than a lack of resources at the time of the breach.
The report found that complying with the PCI data security standard remains essential for avoiding card security breaches. By itself PCI will not guarantee that a financial institution or retailer does not suffer a breach, the report said, but not using it will almost certainly bring trouble. Fully 81% of affected organizations subject to PCI had been found noncompliant prior to being breached, the study found.
Additionally, most data security breaches in 2008 arose from hacking (74%) and from business partner weaknesses (32%), and not from insiders (20%).
The safest thing to do, the study found, was to audit your systems for security or otherwise have a trusted third party examine and test them. In 2008, 69% of cases were discovered by third parties and not by the breached organizations themselves.
The report noted that "the ability to detect a data breach when it occurs remains a huge stumbling block for most organizations. Whether the deficiency lies in technology or process, the result is the same. During the last five years, relatively few victims have discovered their own breaches."
The firm reported that 2008 saw a big shift to crimes where consumer personal identification numbers are stolen. These PIN-based attacks hit the consumer much harder than signature-based attacks in which a consumer's credit card is compromised, the report said. Investigators found that PIN fraud typically led to cash being withdrawn directly from the consumer's account, placing a greater burden on the consumer to prove that transactions are fraudulent.
The higher monetary value commanded by PIN data has spawned a cycle of innovation in attack methodologies. Criminals have re-engineered their processes and developed new tools, such as memory-scraping malware to steal this valuable commodity.
The geographic distribution of external data breach sources continue to show high activity in Eastern Europe, East Asia and North America. In fact, the 2009 report shows that these regions accounted for 82% of all external attacks.
Among investigators, Tippett pointed out, "Eastern Europe is known as a notorious haven for organized cybercrime outfits, which played a major role in breaches throughout 2008."
"We have a great deal of evidence that malicious activity from Eastern Europe is the work of organized crime," he said. However, " efforts with law enforcement led to arrests in at least 15 cases in 2008."