THE BLOG
04/24/2014 05:53 pm ET Updated Jun 24, 2014

Verizon Blockbuster Data Breach Report Is Bad News for Organizations

co-authored by Dr. Stephen Bryen, CTO, Ziklag Systems

2014-04-24-photo29.JPG

Verizon has published a blockbuster report on Internet "data breaches" which has garnered major headlines because it fingers Eastern Europe (primarily Russia) as a greater source of attacks than those from East Asia, primarily China. Prepared with the cooperation of 50 companies in different parts of the world, the Verizon study classifies "data breaches" into different categories --but the two most important stand out visibly from all the others. These are "point of sale" attacks and "cyber espionage" attacks.

A point of sale attack is one of the ways, but not the only way, to steal money. Point of sales attacks are most common in the retail industry (think Target), with the largest number in hotels, motels and the food service industry.

A cyber espionage attack is an attempt to steal valuable proprietary information, defense and government secrets, or significant information on individuals connected with these organizations and industries. The data is rather interesting in that the biggest victims of cyber espionage are manufacturing companies, professional groups and companies (including law firms, accounting and tax related organizations, computer systems design companies and services, and scientific research organizations), and mining companies (most importantly oil and gas industries).

One of the unfortunate problems with the Verizon Report, is that it has aggregated important categories using broad North American Industry Classification System (NAICS) codes. Trying to understand who was targeted and why is, at best, guesswork.

A second major difficulty is that the Verizon Report can only provide data on actual reports made by the targets or victims of data breaches. Actually, we do not know how many organizations, both government and private sector, actually report an incident; in fact there is good reason to believe that wherever possible the tendency in both sectors either is not to report an incident, or to minimize the impact on its business or operations. If, for example, a company were to reveal that a critical technology it owns was stolen, its share price would collapse. If a bank reported its central computers have been hit by thieves, people will move their money to a safer locale. If the Defense Department reported that its secret stealth technology was stolen (in fact, it has been, as can seen in Chinese versions of the F-35 Joint Strike Fighter), it might face Congressional hearings or even budget reductions. For all these reasons we can be certain that the Verizon Data is missing big chunks of important information. We can also be sure that Congress has been asleep at the wheel.

A related problem is the linkage between government spying and criminals. There is no spy agency in the world that works in a vacuum. Spy agencies, in and of themselves, are not centers of technology excellence. They are centers for spying, and they buy the technology, know how, and help they need from outside companies and individuals in order to get the job done.

In some countries it has been often alleged that there is a close tie between criminals and spy organizations. For example, Russian intelligence has been accused of working with the Russian Mafia (for example, see William Jasper's article, "Organized Crime is Big Business for the KGB" ) and intelligence services in other countries are often linked in some manner to criminals or criminal organizations. Added to this is the problem that once trained as a spy, there is the potential for the same individual to freelance, often to steal money or engage in forms of extortion.

Spy agencies around the world, including the U.S., also use private companies, organizations and individuals to do things they would rather not be caught doing themselves. This means anything and everything from stealing personal information, leaking to newspapers, to crashing companies, disrupting banking or commerce --even to waging war. So long as spy agencies operate this way, criminality will increase even more. Of course this subject is well outside of the Verizon Report on Data Breaches, but it is more than worth pondering the consequences.

One highlight of the Verizon Report is how quickly cyber attacks are recognized and dealt with. Here the news is generally bad. For the cases which the Verizon team reviewed, 47% of the intrusions were not discovered "for months" and 68% of them were discovered by outsiders, not by the organization or company. While in most cases the intrusion could be fixed in hours or days, it almost doesn't matter if everything has already gone out the door.

Thus, thanks to the Verizon Report we know that that it takes far too long to recognize that a business or organization has suffered a cyber attack. In today's world, where it is getting easier and easier to exploit organizations through the web, often originating in mobile devices (phone and tablets), the problem of detecting a breach and fixing it is growing worse, instead of improving.

Unfortunately rather than seeing an improvement in cyber security, the threat continues to increase and, with it, the risk to our economy and to national security.