Retail businesses are most at risk for cyber attacks, according to John Yeo of online security company Trustwave.
Data from Trustwave’s annual Global Security Report, published on Wednesday, reveals that 45 percent of the company’s investigations have been into data loss and intrusions in retail firms.
This is the first time in the three years since Trustwave began publishing the Global Security Report that retail has topped the list — compiled using data from 450 investigations in the past year carried out by Trustwave’s ethical hacking unit, Spiderlabs.
Retail was closely followed by the food and beverage industry, such as coffee and pizza shops, and the third most common was the hospitality industry, including hotels.
In an exclusive interview with IFSEC Global last week, John Yeo, Head of Spiderlabs in Europe, spoke about the key findings of this year’s report, ahead of the RSA Conference in San Francisco next week.
One of the commonalities across those three is that many of them are franchised or distributed business models.
That’s really interesting from an attacker’s perspective because if they can figure out a way of compromising, let’s say, one hotel property, then they can effectively rinse and repeat to compromise other properties within the same hotel group.
Organised, financially-motivated crime
A massive 80 percent of the attacks were against businesses in the US and Australia, where what John calls a “bricks and mortar compromise” is far more common. This is due to the immaturity of the chip and pin layer of security on payment cards there.
In Europe, where chip and PIN is more mature, cyber attacks tend to focus on e-commerce retailers with algorithms that are seeking one thing: payment card data.
And the criminals seeking this data are, says Yeo, “well organised, well funded, and well resourced.”
Of the 450 investigations, there were just 40 different variants of malware developed by just six groups.
Ninety-six percent of all of the investigations carried out were of the theft of personal data, specifically card data, which can easily be monetised, unlike the theft of intellectual property, which makes up the remaining 4 percent.
A criminal group in country A can perpetrate a cyber attack against an e-commerce site in country B, and then that data can be sold on, and fraud perpetrated in country C, which gives us a whole bunch of problems from a law enforcement perspective.
As a business, we are focused on responding to financially-motivated cybercrime, rather than state, corporate, or hacktivist-type activity. So that is a bias in our data set.
In the last two years of the Global Security Report, two years ago, about 89 percent was focused on personal data, last year 90 percent, this year, 96 percent, so it has been a pretty consistent trend. Payment card data has been for a long time, and remains, very attractive from a hacker’s perspective because of that ease of monetisation.
Who manages your systems?
The Global Security Report also found that there was an increased risk of intrusion in organisations where third party companies were responsible for system administration, with 63 percent of cases involving outsourcing.
We’re not saying outsourcing is bad, or that outsourcing in and of itself introduces security risks, but what we are saying is that many organisations who make bad oursourcing choices end up getting hacked.
There’s a lack of appreciation, and a lack of due diligence, in that outsourcing process, and probably organisations are too focused on the cost-saving implications, and not focusing on what the risk is of a lower level of security.
How do you know if you’ve been hacked?
Yeo continued:
Organisations are really, really bad at self-detecting compromises.
Only about 24 percent of victim organisations that suffered a data breach identified that themselves. The remaining three quarters are reliant on either a regulatory body, law enforcement, a third party, or the public notifying the victim organisation to tell them they’ve suffered a data breach.
Of the organisations that had to be notified, there is, according to John, a large window of time between the original intrusion and containment, with the average length of time that hackers have free rein in a system coming in at 210 days.
“That’s just the average. If we look at the last 5 percent, it was over two years,” Yeo says.Common point of purchase analysis
Card vendors, such as Mastercard, use a technique called common point of purchase analysis to link incidents of fraud. For instance, John and I both bought a meal at a specific hotel one year ago, and were both victims of card fraud. This common location would be seen in the analysis, and by process of elimination, that hotel identified as the location of the data breach.
It could be only at this point that the organisation with the data breach becomes aware.