Companies risk all by skimping on security say Verizon

A cover-all security policy won't stop attackers from wreaking havoc within a company's network, says Verizon.

Having published its 2014 Data Breach Investigations Report, Verizon opened the door on a number of interesting statistics on how security incidents operate around the world.

There were 1,367 confirmed data breaches in 2013 in which the attacker successfully extracted data. This figure is dwarfed by, what Verizon feels, is the more important fact: 63,437 cases of malicious attack were reported, any of which may or may not have resulted in a data breach.

Of all of those incidents, including others that the firm has studied in the last decade, 92 per cent fall into nine distinct categories. Ranging from DDoS attacks to point-of-sale intrusions, all have been responsible for some form of attack on a company.

The hacking community, according to Eddie Schwartz, vice president of global cybersecurity at Verizon, will always look for the weakest point of entry to a network regardless of which tactic they are using.

Most companies have created a mile wide and inch deep security policy where "the bad guys will just drive around it and steal all of the valuables," he told journalists.

"Where there isn't a vulnerable system there is a vulnerable person," added Verizon investigative response unit co-founder Chris Novak.

Phishing campaigns conducted by criminals target C-level executives with social-engineering, pretending to be old acquaintances and business trip colleagues while attaching payloads of dangerous malware.

Breaches are easily avoidable, though, according to Verizon's Risk team manager Paul Pratley. Implementing two-factor authentication, limiting the available access to outside vendors (who can become easily compromised) and limiting admin control can all improve network security.

To completely secure a network however, requires resources that many enterprises simply don't have. Companies are continually having to pick and choose what kinds of protection that they can afford, exposing themselves in the process. This might lead, according to Schwartz, to security-as-a-service becoming a prominent market in the future:

"In the next three years there will be a tsunami of companies avoiding security altogether and using providers, in much the same way as the cloud is used today," he told IT Pro.