The One Place Where Hackers Don’t Steal Your Information
Data breaches seem to be one of the new realities of living in a technological world. As Ashley Madison proves, not even bedrooms are safe from hackers. The average data breach now costs an estimated $3.5 million to resolve, with some of the most damaging breaches in the $30 million range. These compromises aren’t just costly for companies — they’re hugely inconvenient to consumers who need to monitor credit activity and health records much more closely as a result.
A report from Verizon’s Enterprise Solutions team shows that breaches could cost much more than that in coming years, especially as the cost to shore up customer information comes at a premium. Each customer record has a cost associated with it in order to secure that information or change it if necessary in the case of credit card numbers and other identifying information.
For companies with 10 million stolen records, the cost will likely fall between $2.1 million and $5.2 million, with a high-end estimate at as much as $73.9 million. With larger companies harboring around 100 million records, the cost will be between $5 million and $15.6 million about 95% of the time, topping out at a maximum possible cost of $199 million. “We now know that it’s rarely, if ever, less expensive to suffer a breach than to put the proper defense in place,” said Mike Denning, vice president of global security for Verizon Enterprise Solutions.
The report, which is released annually, goes over large-scale trends related to breaches and includes information about how most of them occur. Last year, the financial loss of 700 million compromised records totaled $400 million — and that’s just counting the 70 organizations Verizon partnered with to produce the report.
Of the general findings, one of the more revealing is the comparison between how quickly data can be stolen and how long it takes for a company to realize its databases were infiltrated. In 60% of breaches, attackers are able to compromise an organization’s security safeguards within minutes. Detection, however, can take multiple days. In the report, Verizon plotted the “detection deficit” between those two events. Both were scaled to occur “within days” and graphed against each other to show the lag that often occurs before someone notices that hackers have gotten into the system.
The gap shows the deficit between when breaches and detection occur in “days or less” — in other words, when it’s not taking weeks or months to notice something is wrong. Though that deficit is still high, at 45%, the gap is much smaller than it has ever been and is a full 32 percentage points smaller than in 2013. Right now, it’s too soon to say if this is a fluke or if detection is actually happening much faster.
Another thing to note is that hackers use a combination of old and new techniques to access protected data files. Just because a security patch is old doesn’t mean companies should stop using them, Verizon warns. “Apparently, hackers really do still party like it’s 1999,” the report states. “The tally of really old CVEs [Common Vulnerabilities and Exposures] suggests that any vulnerability management program should include broad coverage of the ‘oldies but goodies.’ ”
Aside from the fact that companies are getting moderately better at detecting hacks more quickly, one of the few silver linings within the report is that there’s still one digital area that hackers don’t seem to be very interested in: your smartphone. In fact, Verizon got cutesy with its subheading in the “Mobile” category and dubbed the section “I got 99 problems and mobile malware isn’t even 1% of them.”
Despite the exponential rise of mobile users and devices in the past several years, coupled with a ballooning rate of mobile ads and other add-ons, hackers don’t seem to be all that interested in the data on your phones, according to Verizon. Even adding numerous new contributors to the report didn’t change what Verizon has said for years: “Mobile devices are not a preferred vector in data breaches.”
In fact, according to the company’s calculations and its own wireless data, fewer than 70,000 unique devices were affected by any sort of malware in a single month during 2014. Keep in mind, that’s compared to the tens of millions of devices connected to Verizon’s network. It did find that malware infections do exist on mobile devices, but that the count of devices that were compromised was “truly negligible.” In fact, the number works out to be about 0.03% of all devices on Verizon’s network.
Of those malware infections, most only stuck around for a week or so before disappearing. Verizon’s team hypothesizes this is because the potentially malicious malware is piggybacking on legitimate games and apps that are short-lived in their popularity on your phone.
Android “wins” the malware attraction game
The report confirms one major rumor that has persisted from the Mac vs. PC debates of old: Hackers care little about breaching mobile devices, and they care even less about getting into Apple’s iOS devices. In fact, Verizon deemed Android the runaway winner when it comes to attracting malware, “In that it’s the most vulnerable platform; kinda like winning a free tax audit.” Android doesn’t just win, the report says, but “wins so hard that most of the suspicious activity logged from iOS devices was just failed Android exploits.”
According to one partner of the report, FireEye, 96% of mobile malware was targeted at breaching the Android platform. More than 5 billion downloaded Android apps are vulnerable to remote attacks. Apple does have some vulnerabilities because of EnPublic apps, which bypass Apple’s review process. And all devices are subject to Adware, the software that delivers ads to make money. Though the delivery service isn’t inherently harmful, it does often “aggressively” collect personal information from the device it’s stored on, including name, birth date, contacts, and more.
Mobile devices have shown they’re vulnerable to breaches, Verizon acknowledges. But in light of the large-scale attacks on numerous other companies, resources should be directed there first. Instead, Verizon advises companies to take a more preventive approach: “When it comes to mobile devices on your network, the best advice we have is to strive first for visibility and second for control. Visibility enables awareness, which will come in handy when the current landscape starts to shift. Control should put you into a position to react quickly.”
Follow Nikelle on Twitter @Nikelle_CS