Here’s the odd thing I discerned while thumbing through the 2015 Data Breach Investigations Report issued by Verizon Enterprise Solutions this week: despite a rising level of cyberattack “sophistication,” cyber criminals in the main still rely on decades-old techniques such as phishing and hacking to conduct their nefarious electronic deeds.
Why should that matter for trucking? In the main, I believe that means securing the digital pathways used by motor carriers should be a lot easier than many think.
For example, according to Verizon’s report:
- Some 70% of cyberattacks involve some sort of combination of phishing and hacking.
- Those attacks are often successful because a large number of “vulnerabilities” exist in the business world’s electronic systems because long-available security patches were never installed.
- In fact, many of those “vulnerabilities” can be traced all the way back to 2007 – a gap of almost eight years.
- Verizon also noted that a significant "detection deficit" exists in regards to cyberattacks; the time that elapses between a breach occurring until it's discovered.
- In 60% of data breaches, Verizon found that attackers are able to compromise an organization within minutes. Yet only 50% of organizations were able to respond to such attacks in less than 35 days.
- However, in the end, just being “more vigilant” in regards to cybersecurity would defeat the bulk to majority of cyberattacks, Verizon found.
Verizon security researchers examined nearly 80,000 security incidents this year and linked 96% of them to nine “basic” cyberattack patterns that vary from industry to industry.
Those “nefarious nine” patterns are:
- Miscellaneous errors, such as sending an email to the wrong person;
- Crimeware, which is various malware aimed at gaining control of systems;
- Insider/privilege misuse;
- Physical theft/loss;
- Web application attacks;
- Denial-of-service attacks,
- Point-of-sale intrusions;
- Credit and debit card skimmers.
Verizon added that 83% of the security incidents examined by its researches involve just the top three threat patterns listed above, up from 76% last year.
“We continue to see sizable gaps in how organizations defend themselves," added Mike Denning (at right), Verizon’s VP of global security, explained in the report.
"While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases,” he stressed. “This continues to be a main theme, based on more than 10 years of data from our investigative report series."
For its research purposes, Verizon segmented cyberattacks into two distinct categories:
- Security incident: Any event that compromises the confidentiality, integrity, or availability of an information asset.
- Data breach: An incident that resulted in confirmed disclosure (not just exposure) to an unauthorized party. That term is also used interchangeably with “data compromise” and “data breach” in Verizon’s report.
Verizon also conducted a first-time overview of mobile security, Internet of Things (IoT) technologies, machine-to-machine security, and the financial impact of a data breach in this year’s report – with some surprising discoveries.
First, at least according to what Verizon’s researchers found, in general, mobile threats are overblown. In addition, the overall number of exploited security vulnerabilities across all mobile platforms is negligible, the company said.
How negligible? Try 0.03% out of tens of millions of mobile devices (Smart Phones, Tablets, etc.) being used around the world were found to be infected with some sort of malicious software. That’s infinitesimally small.
However, when it comes to IoT and machine-to-machine security, such “connected devices” are indeed being used as an “entry point” to compromise other systems.
The report also found IoT devices can and are being “co-opted” by “botnets” – a network of private computers infected with malicious software and controlled without the owners' knowledge – to engage in denial-of-service attacks.
That finding alone reaffirms the need for organizations to make security a high priority when rolling out next-generation intelligent devices, Denning said.
So what’s the scope of the “big picture” when it comes to the impact of cyberattacks? In 2014 alone, Verizon estimates some 700 million electric records were compromised around the world, costing $400 million.
Verizon also crafted what it called a new “assessment model” after analyzing nearly 200 cyber-liability insurance claims; a model that accounts for the fact that the cost of each stolen record is directly affected by the type of data and total number of records compromised, showing a high and low range for the cost of a lost record (i.e. credit card number vs. medical health record, etc.)
For example, the model predicts that the cost of a breach involving 10 million records will fall between $2.1 million and $5.2 million 95% of the time, yet depending on the circumstances, could range up to as much as $73.9 million.
For breaches with 100 million records, the cost will fall between $5 million and $15.6 million 95% of the time, yet could top out at $199 million depending on the type of data compromised..
"We believe this new model for estimating the cost of a breach is groundbreaking, although there is definitely still room for refinement," Denning noted. "We now know that it's rarely, if ever, less expensive to suffer a breach than to put the proper defense in place."
So what can companies do to better protect themselves? Verizon offers some advice:
• Increased cyber vigilance.
• Make people your first line of defense.
• Only keep data on a need-to-know basis.
• Install security patches promptly.
• Encrypt sensitive data.
• Use two-factor authentication.
• Don't forget physical security.
The company’s researchers added that the longer it takes for an organization to discover a breach, the more time attackers have to penetrate defenses and cause damage.
Indeed, in more than one quarter of all data breaches, it takes the victim organization weeks, or even months, to contain them.
It’s thus a pretty sobering thought that, statistically speaking based on the data above, motor carriers could jumpstart a stalled tractor or get a blown trailer tire replaced faster than they could contain a company-wide crippling cyberattack.
Something to keep in mind as trucking’s business systems are only going to get more digitized down the road.