I always look at security reports with skepticism. It's too easy to spin the numbers and motives in ways that distort the true meaning of what's been found. That's why I find Verizon's latest 2012 Data Breach Investigation Report hard to swallow.
It's not that I question the raw data. It's that I think Verizon stretches it by trying to pretend hacktivism and cyberthievery are two different things.
Carolyn Duffy Marsan wrote about the report for Network World, a sister publication of CSO. She explained the report this way:
Hacktivists - not cybercriminals - were responsible for the majority of personal data stolen from corporate and government networks during 2011, according to a new report from Verizon. The Verizon 2012 Data Breach Investigation Report found that 58% of data stolen in 2011 was the result of hactivism, which involves computer break-ins for political rather than commercial gain. In previous years, most hacking was carried out by criminals, Verizon said.
I have to laugh about the last line. After all, aren't hacktivists criminals, too? Judging by all the investigations and arrests of late -- including the LulzSec bust -- one would think so.
Verizon says it examined 855 cybersecurity incidents worldwide that involved 174 million compromised records. Marsan writes, "This is the largest data set that Verizon has ever examined, thanks to its cooperation with law enforcement groups including the U.S. Secret Service, the Dutch National High Tech Crime Unit and police forces from Australia, Ireland and London. Outsiders - rather than rogue employees - were responsible for 98% of the data breaches examined by Verizon last year." She quotes the report as saying, "Activist groups created their fair share of misery and mayhem last year...They stole more data than any other group," the report said. "Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches. While good old-fashioned greed and avarice were still the prime movers, ideological dissent and schadenfreude took a more prominent role across the caseload."
True, when it comes to motivation, there is a difference. Hacktivists are trying to advance a cause and target those they believe are against that cause. Obviously, a different motivation from the simple pursuit of other people's money.
But the tactics and results are the same. For the targeted organization, that's what really matters. There shouldn't be any difference in the defenses you put in place for a hacktivist or common thief. Verizon even says as much in the report, noting that the most common attack methods were social engineering (phishing, for example) and the exploitation of weak passwords and lax company security policies.
If you discover your company has been breached, the nature of the stolen data and how it was lifted matter more than the motivation of the attackers.
The answer to the threat is the same as it ever was: Organizations need a program of layered security technologies and policies. They have to make employees use stronger passwords. They have to educate the masses on the social engineering tricks out there.
Again, these are points Verizon makes.
It's a solid piece of research that shouldn't require a shaky angle to attract eyeballs.