Verizon recently released its 2018 Data Breach investigation report which studied 53,000 security incidents including 2,300 confirmed data breaches across 65 countries. The findings show that these breaches are money driven with financial gain and espionage as the motives for around 90% of breaches, and hacking and malware are still the two most utilized tactics used in data breaches, meaning that protecting customer card information is more important than ever. Here are some of the highlights that caught our eye at PCI Pal.
Most of the data breaches (77%) were caused by outsiders but almost a third of them (28%) involved internal actors. We’ve seen this type of breach make headlines; for example, when Expedia was hacked in 2016 by one of its own employees. The report found that when the perpetrator is an internal employee, the culprit is most often the system admin. The easiest fix for this is to stop storing data. Rather than investing time and money in protecting data from would-be hackers (external or internal), simply make sure there’s nothing there to steal. The less customer data stored, the less risk there is of that data being stolen. Instead of just blurring the screen, tools already exist to allow businesses to store code tokens instead of personal information, making certain that not even internal employees have access to the personal data.
Web Application Attacks make up the majority of breaches and the three most common hacking techniques used are account takeover, code injections, and path traversal attacks. This impacts all verticals from retail to finance but it is especially critical for e-commerce companies who are doing hundreds of transactions with card information over the web. It’s imperative that the card information used be protected. These companies should ensure security software is up-to-date which means not only making sure the latest version of software is in use but staying on top of any new patches that need updating. This applies to everyone connecting into your system. To that end, it should be a standard to require strong, unique passwords with a required number of characters or numbers for users, thus making hackers’ lives harder.
58% of breach victims are categorised as small businesses. This doesn’t surprise us as these businesses are likely to be the most resource constrained in their security efforts. But with 68% of breaches taking months or long to discover, it’s vital to constantly protect consumer information and ultimately the business.
If you are a business that could utilizse an industry leading resource to protect your business appropriately, please give us a call. Becoming PCI compliant is ultimately much cheaper than implementing compensating controls or suffering a breach and we’d love to help you.