Poor breach detection makes firms easy pickings for hackers

Food and beverage-industry companies are the top target for cybercriminals – but even they are waiting up to six months before they know they've been hit, security consultancy Trustwave has warned in the latest of a string of industry security surveys that confirms hackers are continuing to be both as active and as effective as many companies fear.

Working through summaries of activity by its ethical hacking arm, SpiderLabs, Trustwave found that franchise businesses accounted for more than a third of the group's investigations during 2011. This may be because their independent status makes them a perceived softer target for thieves keen on pilfering poorly-secured customer data – which was the target in 89 percent of attacks.

Franchises tend to use the same IT systems across stores, which allows hackers to capitalise upon economies of scale to attack many businesses with discrete customer records. Furthermore, in the highlighted food and beverage industry – read: hotels and restaurants – customer data is often collected and stored in a relatively haphazard way that's frequently tied to point-of-sale terminals and stored in isolation.

"Any organisation can be a target," says Trustwave SpiderLabs head Nicholas Percoco. "Those most susceptible are businesses that maintain customer records or that consumers frequent most."

Stunningly, SpiderLabs' analysis showed dismal rates of detection of security breaches during 2011: only 16 percent of compromised organisations were able to detect the breach, with the remaining 84 percent unaware until they were approach by an outside law enforcement, regulatory or consumer interest. Even when that happened, it took an average of 173.5 days – just under six months – before the attack was even detected.

There was a silver lining, however: of those companies that were contacted to inform them they had been breached, the notifying authority was a policy body in 33 percent of organisations – compared to just 7 percent in 2010. That suggests recent intensification of police efforts around hacking are paying off, with the Australian Federal Police mentioned alongside Interpol and equivalent police-driven organisations in the US and UK.

It's not enough to count on the police to come knocking after you've been hacked, however: Trustwave points out the importance of companies getting more proactive about their security practices – with employee education, identification of users, homogenisation of hardware and software, creation of asset registries, unification of activity logs and visualisation of security events all named as important security best practices and recommended strategic focuses during 2012.

Recommending an improved security profile is one thing, but actually delivering it is another, as every company knows. Outside of the rarefied heights of security-vendor analysis and surveys, strictures on IT funding is preventing many organisations from implementing comprehensive or effective enough change to address these issues.

In a recent report from the American National Standards Institute found, 60 percent of surveyed executives blamed inefficient funding for the ongoing plague of security breaches of health-related information, which research firm Ponemon Institute said jumped 32 percent last year; half of respondents said time was the limiting factor. Healthcare providers and related companies have, Bloomberg reports, said they need to boost cybersecurity spending from $US23 million per year to around $US155 million in order to stop 95 percent of attacks – which numbered 385 incidents affecting 10 million Americans between 2009 and 2011, according to Department of Health and Human Services figures.

Similar requirements are being seen across a broad range of industries, with Tufin Technologies recently reporting that proposed changes to the European Union's data protection legislation would force them to take a good long look at their security policies and technology, with 27 percent reporting they have increased security budgets as a result.


Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies