Verizon recently released its 2014 Data Breach Investigations Report, based on a collaborative data collection effort with 50 organizations including law enforcement agencies, security Information Sharing and Analysis Centers (ISACS), Computer Security Incident Response Teams (CSIRTS), Infosec product and service providers, forensic providers, and cyber centers. The report categorizes more than 63,000 security incidents from 2013 into 9 basic patterns, and this is possible because the data is collected using VERIS — The Vocabulary for Event Recording and Incident Sharing, a common language for describing security incidents in a structured manner.
In the report, Verizon calls 2013 a year of transition from geopolitical attacks to large-scale attacks on payment card systems. While that sounds like good news for manufacturers, it's only mildly comforting.
First, we know that more and more manufacturers are operating in a hybrid model, in which they sell direct to consumer and rely on some type of ecommerce system that could put them at risk for more security incidents.
Second, many manufacturers depend on or are heavily influenced by the consumer economy and sales through retailers, and any time retailers face higher costs including those caused by security breaches, manufacturers incur some of the cost.
Finally, manufacturers didn't exactly go unscathed in 2013. Although the incidents attributed to manufacturing industry account for less than a percent of all security incidents, 23.5 percent of those that did experience those confirmed data loss. Ask any manufacturer — any level of data loss of intellectual property is too much.
One of the interesting points of the report is that breaches from external parties still overwhelm other types of breaches — collusion, internal, or partner breaches. Haven't you heard the myth that more data is lost through employees? Not true. And the image of most hackers (or threat actors to be more precise) as being motivated by fun and mischief? Forget that one, too. It's more likely to be about financial gain and espionage.
We know organizations are building more natural protective barriers (role based access, easier administration to change/update employee access rights, and employee training). Manufacturers are also putting more investment into security, with IDC forecasting that the security product market is growing at a CAGR of 7.1 percent across all industries. But consider the complexity of the manufacturing value chain, with an increasing number of partners and suppliers, more business taking place online, and more new technology investments; all of these are testing the limits of manufacturers' security expertise. For manufacturers, the majority of the documented incidents fall into denial of service (DoS) and cyberespionage. You can bet that's keeping manufacturers' IT departments up at night all over the world, not to mention those that want to protect their company's intellectual property.
In addition to sharing some great data on security incidents over the last year, the report also shares some recommended controls, including some basics that relate directly to cyberespionage and DoS, such as:
- Keep your software up-to-date and patch your end user systems
- Use and update anti-virus systems
- Segment your network and isolate key assets
- Train users, because they are one of your best bets at stopping a breach
Take a look at the Verizon report. Our IDC analyst Chris Christiansen, program vice president, Security Products and Services, recently wrote about the importance of Iterative intelligence — benefiting from past incidents not only within your company but also in your corporate community, industry associates, and national security community. Thanks to Verizon and to its contributors for sharing their data and findings, and helping us to build up our iterative intelligence.