Verizon has published its 2011 data breach investigations report showing that the number of security incidents investigated has increased by 4 times from the last report, while the number of compromised records has dramatically decreased. This report could have sounded like a good news story and given us all a sense of improving security. Unlike previous years, there wasn’t a major incident in the period of this report. What I see from this development is confirmation that criminals are now effectively targeting smaller and mid-sized companies, and compromising smaller databases. It should be noted that not every data loss incident was investigated, reported by the impacted business, and reported on by the media.
Why now target smaller companies? As I’ve said before, it’s simply easier to attack smaller companies because larger ones have the resources to be better defended and security aware, and big reputations to protect. For those people that have had their information compromised, it doesn’t matter if the breach was the result of a security lapse in a large or a small company. The result is the same; they face being the victim of serious fraud.
Smaller organizations need to take data protection just as seriously as the big boys. This means adopting PCI compliance as a starting point, use self assessment against security standards, extending security to the desktop, filtering web content for malware, and encrypting data where it is required. It’s also important to reduce the amount of customer information being gathered during transactions and stored at POS. “If you don’t have it, you can’t lose it”.
Of course, the back end of 2011 looks like it will return to the the large data breach norm with the Sony incident, demonstrating that even the largest of companies are still open to attack. The Verizon report indicates that attacks and data breaches are more a question of “when-not-if” an internet connected company will be affected. Companies can no longer place their heads in the sand regarding the risks posed by connecting to or doing business over the internet. Check and double-check both logical a physical security around sensitive information, and all of the avenues of access to it. If you want to play in the sandbox, you need to have the basic protections. There are things in the sand that will eat you alive…