Today’s threat landscape is in many ways very different from ten years ago. The growth of smartphones combined with pervasive internet, Bring Your Own Device (BYOD) and Application (BYOA) initiatives, introduced new threats to the workplace. Cloud servers made password security all the more important – with employees being able to store and access confidential company information on the move … even via free, public networks.
All empires fall and Apple has proven to be no exception. It may have taken a while, but their devices and their App Store have both been proved to be vulnerable. New forms of cybercrime have emerged. Ransomware is on the rise, where companies have their systems or data frozen by hackers until they make payment. Business email compromise (BEC) is growing too, where hackers hijack a senior executive’s email and send urgent instructions to other employees typically instructing them to make fraudulent payments.
Some things haven’t changed that much though. Malware infects thousands of computers every day, and Denial of Service (DOS) attacks remain ever-present. And then there are the avoidable human errors: accidental leaks, lost or stolen devices and weak passwords, all of which cost companies dearly.
Looking at the world’s biggest hacks and data breaches of the last ten years, helps us see how things have changed over the decade: where and why data breaches are happening, and who is being hacked by whom.
- Outside versus inside jobs – employees may be seen as the weakest link in the security chain but most of the biggest hacks were by an outsider. That said, this may not be truly representative of the situation because companies may not be obliged or willing to disclose a breach, or to what extent employees were involved.
- Businesses, academic institutions and public organisations have all suffered: British Airways, Ebay, Home Depot, JP Morgan Chase, AshleyMadison, TalkTalk, AOL, Dropbox, University of Wisconsin, European Central Bank, Washington State Court System, Adobe, Sony, Betfair, AT & T, RBS Worldpay, Monster.com, and TK Maxx to name but a few. Not all hackers are after money, some simply want to disrupt or enjoy the challenge of breaking through defence systems.
- The vast majority of the biggest hacks seem to have happened in the last four or five years, which indicates the problem is either getting worse or the reporting of hacks is getting better, or both.
- Breaches as a result of lost or stolen devices or media are a running feature across the decade but they seemed to have tailed off (relatively speaking) over the last few years. Given the small chance of being caught using anonymous and remote hacking tactics, stealing a device to gain access to a system may soon become a crime of the past.
- Instances of breaches due to poor security – in spite of the hype around people still using ridiculously simple passwords, this type of breach doesn’t seem to be that prevalent. Perhaps it gets more attention in the press because, like lost or mislaid devices, it’s an obvious and avoidable own goal. Businesses have taken action and deployed strong password policies, reducing the risk and prevalence.
- Accidental data breaches don’t appear to be too common either. As bad as they may have been, only(!) about 18 big breaches seem to have been by accident.
Big business hacks are only half the story
Those were the biggest hacks against big businesses or organisations, but don’t be fooled. Small business should be under no illusion they are not a target for hackers. Even a small hairdressing business can be hacked and have their business data held to ransom.
The latest UK Government Security Breaches survey found that nearly three-quarters (74%) of small organisations reported a security breach in 2015; up a whopping 60% from 2014. SMEs are now quite clearly and deliberately in the hackers’ sights. The survey also reveals the potential financial impact a hack could have, “For small and medium sized businesses, the most severe breaches cost can now reach as high as £310,800, up from £115,000 in 2014.”
Reflection is a timely reminder for businesses large and small
Tony Anscombe, Senior Security Evangelist at AVG Business, shares his insight: “Looking back, it’s hard to imagine life without smartphones. They’ve become an everyday essential – a lifestyle and business ‘remote’ always within reach. They help us live more convenient lives but they’ve also introduced new risks. Data can be captured and shared from almost any location in a multitude of ways, many of which simply weren’t possible before smartphones became so powerful or popular. Companies need to stay aware of how these devices can be used in business, and are currently being used, so that any threat to confidential data or systems can be identified and mitigated.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.