Verizon Wants to Keep Data Secure
We all know that today there is more data floating around than ever before. As our world becomes more connected, our information is more often digital, and thieves and hackers are always in the shadows, ready to pounce on under-protected data. While data breaches often make news, the fact is they are usually the exception rather than the norm. But that doesn’t mean companies can become lax about how they protect data. One of the first steps is understanding when and how data can become vulnerable.
To help provide insight into this topic, Verizon, www.verizon.com, has released information from its “Verizon 2012 Data Breach Investigations Report.” Organizations contributing to the report included the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the Police Central e-Crime Unit of the London Metropolitan Police.
The report and additional information Snapshots are designed to offer a better understanding of how data breaches occur in various vertical markets, including retail, hospitality, financial services, and healthcare. Additionally, Verizon looked into the topic of intellectual property theft, which can target a variety of industries.
Each industry is impacted by data breaches in different ways, though some areas overlap. For instance, in both healthcare and retail, POS (point-of-sale) systems are attack targets. Today more POS systems are becoming connected to the Internet, which provides for ease of data transfer but also means security needs to be considered for that connection. This is not only the case with POS terminals, but also with a range of devices such as ATMs, vending machines, and gas pumps.
Such a trend is made very real to consumers given the news this week from Barnes & Noble, www.barnesandnoble.com, which announced it had detected tampering with PIN pad devices used in 63 of its stores, spanning multiple markets across the United States. While the retailer said the attack was limited to one PIN pad in each of its affected stores, it did, upon detecting evidence of tampering, discontinue use of all PIN pads in its nearly 700 stores nationwide.
Looking at the trend of data breach in retail in general, Verizon says criminals can exploit weak, guessable, or default credentials via third-party remote access services to POS systems. Similarly in healthcare, POS systems were also often the target of attacks where criminals are looking to steal financial information.
According to Wade Baker, director of Risk Intelligence for Verizon Enterprise Solutions, “Most of the healthcare providers and institutions that were compromised were doctors’ offices, clinics, dentists, and things like that. It was also often the point-of-sale systems that were compromised. Because they have to accept your payment, it’s possible that they have the same weaknesses as retailers.”
Overall, Baker says the type of data being targeted is generally financial information or things like Social Security numbers. The report found much less targeting of actual health information, such as data contained within an EHR (electronic health record). EHRs have been touted as a way to more easily store health information, but for some people security has been a concern. Verizon’s study seems to show that most data breaches are not targeting EHRs, but are looking for financial information instead.
Verizon says steps healthcare organizations can take to protect data include changing administrative passwords on all POS systems; implementing a firewall; avoiding using POS systems to browse the Web, and making sure the POS is a PCI DSS (Payment Card Industry Data Security Standard) compliant application.
In retail, as in other sectors, Verizon says employees can be involved in data breaches, either wittingly or unwittingly. For example, an employee could accidently click on a malicious email, allowing malware a path into the system. In cases of intellectual property theft, Verizon says attacks are often the result of collusion between people inside the company and people on the outside.
Intellectual property theft involves scenarios such as state-sponsored campaigns, industrial espionage, insider abuse, and other attacks that target information, but that differ somewhat from cases involving payment information or other common fraud. Verizon says intellectual property theft affects many industries, but cites manufacturing, government, financial, and technology services as important examples.
Baker says when talking about threat agents the report looks at their distribution among external, internal, and business partners to determine who was behind the breach. He says when looking at information breaches overall, “you’re talking well above 90% tied to outsiders and below 5% tied to insiders. But when you look at intellectual property theft, that (number) jumps up to almost half of all of the instances studied involving insiders.”
Clearly, intellectual property theft—and any type of data breach—is a major concern for organizations. As companies learn more about data breaches, they may be keen to beef up security on employees’ mobile devices. Earlier in October Verizon announced it was expanding its Enterprise Mobility as a Service offering that provides organizations with support for managing devices and access.
The service includes features such as Secure Workspace, which allows the user to separate and secure business data on devices, whether or not they are owned by the company or the employee. Additionally, new Mobile Device Management allows a remote administrator to lock the phone or wipe its corporate information. This can help to ensure data doesn’t fall into the wrong hands.
Preventing data theft involves understanding when and where it can occur, and employing solutions that make an impact. For businesses today, the one thing they can’t afford is to ignore the risks.