"Over 69% cyber attacks focused on large enterprises"
Computer security, backup and availability solutions software corporation Symantec Corp. in its recently published Internet Security Threat Report (ISTR) stated that a significant shift in cybercriminal behavior reveals that the attackers are unrelenting in their focus on large enterprises with over 69 percent or more than 2/3rds of the targeted attacks in India carried out on them.
Symantec in its report noted that the bad guys are plotting for months before pulling off huge heists – instead of executing quick hits with smaller rewards.
"One mega breach can be worth 50 smaller attacks," said Tarun Kaura, Director, Technology Sales at Symantec India.
Kaura said, "While the level of sophistication continues to grow among attackers, what was surprising last year was their willingness to be a lot more patient – waiting to strike until the reward is bigger and better."
Symantec reported that globally, there was a 62 percent increase in the number of data breaches from the previous year, resulting in more than 552 million identities exposed – proving cybercrime remains a real and damaging threat to consumers and businesses alike.
The size and scope of breaches are exploding, putting the trust and reputation of businesses at risk, and increasingly compromising consumers’ personal information – from credit card numbers and medical records to passwords and bank account details.
Each of the eight top data breaches in 2013 resulted in the loss of tens of millions of data records. By comparison, 2012 only had a single data breach reach that threshold, the company said.
“Nothing breeds success like success – especially if you’re a cybercriminal,” added Kaura.
He said, “The potential for huge paydays means large-scale attacks are here to stay. Companies of all sizes need to re-examine, re-think and possibly re-architect their security posture.”
Symantec said that globally targeted attacks were up 91 percent and lasted an average of three times longer compared to 2012.
In India, cyber criminals are unrelenting in their focus on large enterprises with a staggering 69 percent targeted attacks carried out against them. Despite stepping up their information security measures, businesses in India continue to be an attractive target for cybercriminals.
Furthermore, within organizations, support functions with access to critical data emerged as the strongest target for attackers globally.
Personal assistants and those working in public relations were the two most targeted professions – cybercriminals use them as a stepping stone toward higher-profile targets like celebrities or business executives, the company asserted.
The ISTR further reported that small and medium-sized businesses often have less adequate security practices and resources.
Attackers are increasingly targeting smaller businesses that have a relationship with a larger company. Not surprisingly, in India, small businesses received the highest number of phishing and virus-bearing emails - almost three times as much as the larger targets.
ISTR noted that in India, nearly four in 10 attacks were carried out on non-traditional services industries like hospitality, business and personal services. This was followed by attacks on manufacturing, finance and insurance.
On the other hand, globally, the top data targeted during a breach had moved from just financial information to basic information like names, addresses, email addresses and government ID proofs etc.
Interestingly, while non-traditional, service- centric organizations handle such information in large numbers, they may often lack adequate security practices and infrastructure making them easy targets for such attacks.
Symantec noted that while the increasing flow of data from smart devices, apps and other online services is tantalizing to cybercriminals, there are steps businesses and consumers can take to better protect themselves – whether it be from a mega data breach, targeted attack or common spam.
Symantec also recommended the following best practices:
Protection must focus on the information – not the device or data center. Understand where the sensitive data resides and where it is flowing to help identify the best policies and procedures to protect it.
Provide guidance on information protection, including company policies and procedures for protecting sensitive data on personal and corporate devices.
Strengthen security infrastructure with data loss prevention, network security, endpoint security, encryption, strong authentication and defensive measures, including reputation-based technologies.
Using password management software to create strong, unique passwords for each site visited and keeping devices – including smartphones – updated with the latest security software.
Reviewing bank and credit card statements for irregularities, being cautious when handling unsolicited or unexpected emails and being wary of online offers that seem too good to be true – they usually are.
Familiarize oneself with policies from retailers and online services that may request banking or personal information.
As a best practice, visiting the company’s official website directly (as opposed to clicking on an emailed link) if sharing sensitive information.
(Posted on 24-04-2014)