FORTUNE -- It's that time of year again: Spring is in the air, Monarch butterflies are traveling north, and Verizon's (VZ) data breach report is making the rounds, freaking out already freaked-out chief information security officers around the globe.
The annual report compiles and analyzes more than 63,000 security incidents (as well as 1,300 confirmed data breaches) from about 50 companies worldwide. This year's 60-page document identified nine main patterns of attack, including point-of-sale intrusions, denial-of-service attacks and acts of cyberespionage. According to Verizon, 94% of all security incidents in 2013 can be traced to these nine basic categories.
(As for the other 6% of threats facing corporate America, well, ignorance is bliss, right?)
Here, our summary of the most pressing security threats for major companies:
Hands down, this is the most common type of data breach. According to Verizon's report, web applications remain the "proverbial punching bag of the Internet." How do the bad guys do it? Phishing techniques, installing malware, and, yes, correctly guessing the name of your first stuffed animal, your oldest cousin's eye color and your nickname in sixth grade. There are ways to better protect Internet-facing applications, Verizon insists, and it starts with two-factor authentication.
Incidents of unauthorized network or system access linked to state-affiliated actors have tripled -- that's right, tripled -- over the last year. Espionage exhibits a wider variety of "threat actions" than any other attack pattern, Verizon says, which means that once intruders gain access, they're making themselves comfortable and partaking in all sorts of activities, from scanning networks to exporting data. Verizon warns that we can't keep blaming China, though -- at least not just China. About 21% of reported incidents are now being instigated from Eastern Europe.
Given the recent high-profile Target (TGT) breach, in which hackers gained access to the credit card numbers of some 40 million customers, this may seem like the attack pattern du jour. But Verizon claims point-of-sale intrusions have actually been trending down over the last several years. "Recent highly publicized breaches of several large retailers have brought POS compromises to the forefront," the report's authors write. "But at the risk of getting all security-hipster on you -- we've been talking about this for years." Still, retailers and hotel companies in particular need to be concerned about this kind of attack. It only takes one massive point-of-sale intrusion to scare away customers and investors -- just ask Target.
Skimming mainly affects ATMs and gas pumps, and is a relatively crude form of attack that requires a skimming device to be physically added to a machine. It's hardly a new tactic, but what's different today is the way that the data from "skimmed" payment cards is collected. Before, a criminal had to retrieve the skimming device; now, a thief can remotely collect the data using Bluetooth or other wireless technologies. More modern ATMs are designed to be relatively tamper-free, but this is still a big problem in some parts of the world, such as Bulgaria and Armenia.
Not sure what falls under this category? Imagine someone akin to the rebel NSA defense contractor Edward Snowden, or pretty much any unapproved or malicious use of organizational resources. The most common examples of this are employees using forbidden devices (e.g. USB drives) or services to send intellectual property to their personal accounts -- or, more deliberately, posing as another user and sending messages aimed at getting a colleague fired. According to Verizon, many of the people committing these crimes are payment chain personnel and end users, but C-suite managers were more to blame in prior years. Bottom line: Trust no one.
This category includes any malware incident that doesn't fit into the espionage or point-of-sale buckets. The goal is always some kind of illicit activity, such as stealing users' online banking credentials. Most forms of crimeware start with web activity such as downloads or so-called drive-by infections, where a virus can be downloaded when a user unknowingly clicks on a deceptive pop-up window. What can corporations do to combat these types of attacks? Keep software such as browsers up to date.
Oops, I did it again -- as in, I sent an email containing sensitive information to the wrong recipient. That's the most common example of this kind of unintentional data disclosure. Others include accidentally posting non-public information to a company's web server or even snail-mailing documents to the wrong physical address. There's no cure for human error (other than replacing them with computers, of course), but Verizon says corporations can implement data loss prevention software to reduce instances of sensitive files sent by email and tighten processes around posting documents to internal and external websites.
Here's a fun fact: It turns out that corporate assets like phones and laptops are stolen from corporate offices more often than from homes or vehicles. The primary cause of this type of incident? Carelessness. According to the Verizon report: "Accidents happen. People lose stuff. People steal stuff. And that's never going to change." The only thing you can change, advises the company, is to encrypt devices, back up data, and encourage employees to keep their gadgets close.
Last but not least, so-called DDoS threats include any attack aimed at compromising the availability of networks and systems. These are primarily directed at the financial, retail and public sectors. And while the motives behind shutting down corporate, consumer-facing websites remains the same -- extortion, protest, or perverse fun -- the tools at attackers' disposal have become more sophisticated and more thoughtfully named, such as "Brobot" and "itsoknoproblembro."
More on cybersecurity from Fortune:
It's called Heartbleed, and it leaves much of the Internet at risk of exploitation. Here's how.
By David Nield
FORTUNE -- Late on Monday afternoon, the details of one of the most serious security problems to ever affect the modern web were posted online. Dubbed Heartbleed, the vulnerability has major companies scrambling this week to patch their systems and could have been exploited to harvest data from millions of users. The MOREApr 9, 2014 10:23 AM ET
The relatively new business of cybersecurity is booming. As it turns out, so is the business of training the next crop of engineers for it.
By Melanie D.G. Kaplan
FORTUNE -- Whether it's news of yet another retailer hacking or Edward Snowden -- via videoconference at the South by Southwest conference in Austin, Texas -- calling for developers and cryptographers to improve privacy tools, we've all been through an ad hoc course in MOREMar 26, 2014 3:37 PM ET
Newly appointed AVG chief executive Gary Kovacs on simplicity, Mark Twain, and what to do in a world where you've already been hacked.
FORTUNE -- One of the first decisions Gary Kovacs had to make after he was appointed CEO of the cybersecurity firm AVG was whether to keep a $100 million toolbar business that most people hated. The former Mozilla CEO bit the bullet and jettisoned the longstanding project -- MOREAndrew Nusca - Mar 11, 2014 1:10 PM ET
... is that they cause more investment in cybersecurity.
FORTUNE -- The normally humdrum world of IT security is heating up, and not just because of comedian Stephen Colbert's controversial closing keynote at last week's RSA Conference.
Why? As the number of large-scale cyberattacks grows, so does the number of innovative startups developing new solutions to thwart those attacks. Venture capitalists are taking notice: In 2013, they made a total 123 investments in MOREMichal Lev-Ram, writer - Mar 3, 2014 2:35 PM ET
At a newly controversial industry conference, an exec sounds the alarm on looming cyber threats and government surveillance.
FORTUNE -- Right now, hundreds of the nation's top security executives are at the RSA Conference in San Francisco holding forth on 2014's looming cyber threats and it's, well, awkward.
After Reuters reported last year that conference-sponsor RSA was working with (and being paid by) the National Security Agency, more than a dozen experts MOREAnne VanderMey - Feb 25, 2014 8:04 PM ET
The cybersecurity pioneer explains why merging the two top security firms was in everyone's best interest.
FORTUNE -- Nearly one-and-a-half months ago, security software provider FireEye (FEYE) acquired Kevin Mandia's company Mandiant in a deal estimated at well over $1 billion. But already, Mandia says integration of the two businesses is nearly complete.
Mandia became a national figure last year after his firm Mandiant, which specializes in responding to computer network breaches, MOREJP Mangalindan, Writer - Feb 13, 2014 3:28 PM ET
A young company's new approach to cybersecurity promises to protect websites that, by their nature, expose their underlying code.
FORTUNE -- There's a reason why you don't hear much about security startups -- there aren't that many out there. Unlike social media tools or mobile apps, developing cybercrime-fighting software can take lots of time. And most investors, not to mention customers, don't want to put their money and trust in a twentysomething, MOREMichal Lev-Ram, writer - Feb 6, 2014 1:13 PM ET
Author Peter W. Singer on the cybersecurity issues threatening the American economy.
By Clay Dillow
FORTUNE -- "Ninety-seven percent of Fortune 500 companies have been hacked," says Peter W. Singer, "and likely the other 3% have too, they just don't know it." Such is the less-than-rosy picture painted by Singer -- director of the Center for 21st Century Security and Intelligence at D.C. think tank Brookings Institution and bestselling author of MOREJan 6, 2014 12:13 PM ET
Worse: if you think your company is safe, think again.
FORTUNE -- It took a group of cyber criminals 19 days to steal the personal information of 40 million people from Target's database, but it will take the retailer much longer to recover from the massive theft.
On Wednesday, security blogger Brian Krebs reported that Target (TGT) was investigating a security breach involving stolen credit and debit card information. The retailer confirmed MORECaroline Fairchild - Dec 19, 2013 3:43 PM ET
|Delinquent IRS employees paid bonuses by the agency|
|Students cry foul over athletes unionizing|
|Is capitalism driving itself out of business?|
|Sandy Hook victim's grandfather launches smart gun campaign|
|Court quizzes Aereo: Do TV streams break the law?|