Hactivists - not cybercriminals - were responsible for the majority of personal data stolen from corporate and government networks during 2011, according to a new report from Verizon.
The Verizon 2012 Data Breach Investigation Report found that 58% of data stolen in 2011 was the result of hactivism, which involves computer break-ins for political rather than commercial gain. In previous years, most hacking was carried out by criminals, Verizon said.
Altogether, Verizon examined 855 cybersecurity incidents worldwide that involved 174 million compromised records. This is the largest data set that Verizon has ever examined, thanks to its cooperation with law enforcement groups including the U.S. Secret Service, the Dutch National High Tech Crime Unit and police forces from Australia, Ireland and London.
Outsiders - rather than rogue employees - were responsible for 98% of the data breaches examined by Verizon last year.
"Activist groups created their fair share of misery and mayhem last year...They stole more data than any other group," the report said. "Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches. While good old-fashioned greed and avarice were still the prime movers, ideological dissent and schadenfreude took a more prominent role across the caseload."
As in previous years, Verizon has found that most cyberattacks were avoidable if network managers followed best practices for information security. Verizon said that 96% of attacks were "not highly difficult," and 97% of attacks were avoidable through "simple or intermediate controls.''
"The large majority of these attacks were not highly sophisticated," said Chris Novak, managing principal on Verizon's data breach investigation response team. "A lot of what we're talking about is known vulnerabilities, like weak passwords. But knowing something is wrong and doing something about it are two different things. I know I'm supposed to eat well and exercise, but I don't always do it."
One of the biggest threats to organizations with more than 1,000 employees were phishing attacks and other scams that involved tricking employees into infecting their systems with malware. These organizations also were more likely to have stolen passwords and physical break-ins to data centers than smaller employers.
Once a corporate network has been penetrated by hactivists or cybercriminals, it takes a long time for network managers to figure out, Verizon said. It took weeks or months to discover 85% of the security breaches in 2011, and 92% of these breaches were discovered by a third-party rather than the company's IT staff.
"One of the most stark things in this data is that once the bad guys get in your network, they were there for weeks or months or years,'' Novak said. "The fact that they can do some serious damage is not so surprising given the timespan of these incidents.''
While CIOs have been focused on securing mobile devices, particularly those owned by employees, the bigger threat is to the servers they operate. Verizon said that 94% of all data compromised last year involved servers, not endpoints.
"We've had a relatively small amount of situations regarding [Bring Your Own Device] scenarios,'' Novak said. "The policies around that are very, very strict in most organizations. With mobile device management software, there is a limited ability to do damage from a stolen smartphone. The majority of devices being targeted are servers.''
"We're finding that the cloud in and of itself doesn't seem to be a significant threat overhead,'' Novak said. "A lot of the breaches we're seeing are when something is moved to the cloud and it had a vulnerability before hand that wasn't fixed. Generally, we're not seeing the cloud add significant risk.''