A report released by KPMG on Tuesday finds that globally, there's been a 40% increase in the number of publicly disclosed data loss incidents in the past two years. However, financial services firms have seen an 80% decrease in number of incidents in the past five years.
The overall increase is due partly to the fact that companies are getting better at identifying and reporting data breaches, says Greg Bell, global and Americas service leader for information protection at KPMG.
One reason the reporting of data breaches has increased is because of an SEC order in October 2011 that required more transparency over cyber risk and disclosure of the impact of data breaches. "That was the first time publicly traded organizations were obligated to disclose information about data breaches that did not pertain to personally identifiable information," Bell observes.
Another reason companies are more open about reporting data breaches is that the stigma has lessened. "I think everyone understands that when you have been breached or had an active penetration of your network, it's not necessarily because you did not take good care, it's just that the bad guys are moving more aggressively and effectively," he says. "That general awareness has been raised."
The third reason for the heightened data breach reporting is increased transparency and collaboration in the security community at large, Bell says.
In a bit of good news for the financial services sector, it's seen an 80% reduction in data loss by number of incidents. On the other hand, it's still the fifth worst performing sector.
The improvement is a result of effort on the industry's part, Bell says. "Financial services organizations have done a much better job at defending themselves from cyberattack; many of them are considered the most capable or highest maturity when it comes to building secure platforms and using active defense techniques to protect themselves," he says. "They have the ability to prevent most of the simple attacks and they've learned tremendously about how to have better control over their information."
He does expect to see attackers keep trying to infiltrate banks, however. "Financial services is where the money is," Bell says. "All these bad actors are in some way looking to prevent access to money or to gain money, so they're going to spend more time targeting financial services; we expect it to maintain at the forefront of the targeted attacks."
The main cause of data loss in banks is hacking — 35% of incidents in financial services in 2012 were in this category. Another 30% of incidents were caused by fraud and/or social engineering. Much smaller impacts were caused by hard copy loss or theft (8%) and human error (also 8%).
The overall nature of cyberattacks is changing, the report found. They're becoming longer term and targeted. Where cybercriminals used to launch trial balloons to test companies' security vulnerability — the online equivalent of "testing every door in a parking lot and eventually finding someone who was silly enough to leave their car unlocked," Bell observes — most cybercriminals today operate on a "target of choice" basis. "We know you've got some bit of information that we can monetize, therefore we're going to target you continually and persistently until we find a way to get access to that," Bell says.
The dynamics of cybercriminal groups has also changed. "We're now dealing with a large number of highly organized, highly hierarchical bad guys, rather than loosely affiliated groups of black hat hackers," Bell says. "The information they're targeting is fundamentally different. It used to be they were looking to monetize information like stolen IDs to create fake credit cards or infiltrate funds. Nowadays that's harder to do, thanks to regulatory reforms and scrutiny by financial services organizations, but we're seeing that focus change to intellectual property, unreleased financial information, and movements that can manipulate stock markets."
In a bit of security irony, the worst-performing industry in terms of number of people affected by security breaches is technology — 26% of victims were employees or customers of technology companies, which should theoretically be best at deflecting cybercrime. Global Payments, Google, Apple and Facebook are examples of tech companies that have been hit in the past year.
This is part of the targeted approach being taken by the new generation of cybercriminals. "These folks naturally come from a technology background, so they understand technology," Bell says. They look at vendors that make widely used operating systems and apps and realize if they can infiltrate that, they can perpetrate attacks on dozens of other organizations. For instance, by hacking an online banking technology vendor, a cyberthief could figure out how to access to all the banks that company works with.
The KPMG report found that the insider threat has decreased: only 6.5% of breaches in 2012 were caused by insiders. This is due both to better efforts by companies to prevent employees from stealing data and the dramatic rise in external threats. "We have seen organizations spend more time in the vetting of their employee base, particularly for those that may have administrative access like system administrators," Bell says. "I think most organizations have been thoughtful about it."