The good news is that there wasn’t a major incident, unlike previous years, in which millions of records were compromised (this year will be less fortunate - see below). The bad news is the implication is that cyber-criminals are now effectively targeting smaller and mid-sized companies, compromising smaller databases.
If you are an individual, it doesn’t matter if your data has been lost in a large or a small data breach, you are still being put at risk of serious fraud. Why target smaller companies now? The answer is that it’s simply much easier to go after smaller companies because larger ones are better defended and more aware, or they are in theory.
Smaller organisations need to take the issues of data protections just as seriously as larger ones, encrypting data where required, for example adhering to PCI DSS when it comes to holding credit card and bank details. It’s also important to reduce the amount of information requested and held on the principle that ‘if you haven’t got it, you can’t lose it’. Sometimes having data can be more of a liability than a benefit.
The Verizon report could have lulled us into a sense of security, with a view that things are improving, although it should be noted that not every data loss incident was investigated and reported upon.
Now, however, 2011 looks like a return to large data breaches with 70+million customer records compromised in the Sony Playstation/Qriocity incident last week, nearly 20 times the number reported lost by Verizon for the whole of in 2010.
This shows that even the largest of companies are still open to cyber-attack. Even at a few pence per username and password the value of the attack on the underground economy is huge. There was sufficient information stolen to either apply for credit or to construct a believable phishing email. Any email which requests credit card or bank details should be treated with suspicion, no matter who it is from.
The Verizon report indicates that data breaches are more a question of ‘when’ not ‘if’. The defence of ‘I didn’t think it would happen to our company’ is not a good one. Make a plan today and test it. Check and double-check both logical a physical security around sensitive information. Forewarned is forearmed.
Guy Bunker, Jericho Forum board member