FORTUNE -- It's that time of year again: Spring is in the air, Monarch butterflies are traveling north, and Verizon's (VZ) data breach report is making the rounds, freaking out already freaked-out chief information security officers around the globe.
The annual report compiles and analyzes more than 63,000 security incidents (as well as 1,300 confirmed data breaches) from about 50 companies worldwide. This year's 60-page document identified nine main patterns of attack, including point-of-sale intrusions, denial-of-service attacks and acts of cyberespionage. According to Verizon, 94% of all security incidents in 2013 can be traced to these nine basic categories.
(As for the other 6% of threats facing corporate America, well, ignorance is bliss, right?)
Here, our summary of the most pressing security threats for major companies:
Hands down, this is the most common type of data breach. According to Verizon's report, web applications remain the "proverbial punching bag of the Internet." How do the bad guys do it? Phishing techniques, installing malware, and, yes, correctly guessing the name of your first stuffed animal, your oldest cousin's eye color and your nickname in sixth grade. There are ways to better protect Internet-facing applications, Verizon insists, and it starts with two-factor authentication.
Incidents of unauthorized network or system access linked to state-affiliated actors have tripled -- that's right, tripled -- over the last year. Espionage exhibits a wider variety of "threat actions" than any other attack pattern, Verizon says, which means that once intruders gain access, they're making themselves comfortable and partaking in all sorts of activities, from scanning networks to exporting data. Verizon warns that we can't keep blaming China, though -- at least not just China. About 21% of reported incidents are now being instigated from Eastern Europe.
Given the recent high-profile Target (TGT) breach, in which hackers gained access to the credit card numbers of some 40 million customers, this may seem like the attack pattern du jour. But Verizon claims point-of-sale intrusions have actually been trending down over the last several years. "Recent highly publicized breaches of several large retailers have brought POS compromises to the forefront," the report's authors write. "But at the risk of getting all security-hipster on you -- we've been talking about this for years." Still, retailers and hotel companies in particular need to be concerned about this kind of attack. It only takes one massive point-of-sale intrusion to scare away customers and investors -- just ask Target.
Skimming mainly affects ATMs and gas pumps, and is a relatively crude form of attack that requires a skimming device to be physically added to a machine. It's hardly a new tactic, but what's different today is the way that the data from "skimmed" payment cards is collected. Before, a criminal had to retrieve the skimming device; now, a thief can remotely collect the data using Bluetooth or other wireless technologies. More modern ATMs are designed to be relatively tamper-free, but this is still a big problem in some parts of the world, such as Bulgaria and Armenia.
Not sure what falls under this category? Imagine someone akin to the rebel NSA defense contractor Edward Snowden, or pretty much any unapproved or malicious use of organizational resources. The most common examples of this are employees using forbidden devices (e.g. USB drives) or services to send intellectual property to their personal accounts -- or, more deliberately, posing as another user and sending messages aimed at getting a colleague fired. According to Verizon, many of the people committing these crimes are payment chain personnel and end users, but C-suite managers were more to blame in prior years. Bottom line: Trust no one.
This category includes any malware incident that doesn't fit into the espionage or point-of-sale buckets. The goal is always some kind of illicit activity, such as stealing users' online banking credentials. Most forms of crimeware start with web activity such as downloads or so-called drive-by infections, where a virus can be downloaded when a user unknowingly clicks on a deceptive pop-up window. What can corporations do to combat these types of attacks? Keep software such as browsers up to date.
Oops, I did it again -- as in, I sent an email containing sensitive information to the wrong recipient. That's the most common example of this kind of unintentional data disclosure. Others include accidentally posting non-public information to a company's web server or even snail-mailing documents to the wrong physical address. There's no cure for human error (other than replacing them with computers, of course), but Verizon says corporations can implement data loss prevention software to reduce instances of sensitive files sent by email and tighten processes around posting documents to internal and external websites.
Here's a fun fact: It turns out that corporate assets like phones and laptops are stolen from corporate offices more often than from homes or vehicles. The primary cause of this type of incident? Carelessness. According to the Verizon report: "Accidents happen. People lose stuff. People steal stuff. And that's never going to change." The only thing you can change, advises the company, is to encrypt devices, back up data, and encourage employees to keep their gadgets close.
Last but not least, so-called DDoS threats include any attack aimed at compromising the availability of networks and systems. These are primarily directed at the financial, retail and public sectors. And while the motives behind shutting down corporate, consumer-facing websites remains the same -- extortion, protest, or perverse fun -- the tools at attackers' disposal have become more sophisticated and more thoughtfully named, such as "Brobot" and "itsoknoproblembro."
More on cybersecurity from Fortune:
Some of his prize money will go to families of the missing Malaysian airline.
FORTUNE -- Everybody's Web software got "pwned" at the Pwn2Own hackers conference this week: Apple's (AAPL) Safari, Google's (GOOG) Chrome, Microsoft's (MSFT) Internet Explorer, Mozilla's Firefox and Adobe's (ADBE) Reader and Flash.
Chrome was hacked by a French team from Vupen Security with a use-after-free vulnerability that affects both the WebKit and Blink rendering engines.
Safari was defeated by Liang Chen, one of a MOREPhilip Elmer-DeWitt - Mar 14, 2014 12:07 PM ET
Author Peter W. Singer on the cybersecurity issues threatening the American economy.
By Clay Dillow
FORTUNE -- "Ninety-seven percent of Fortune 500 companies have been hacked," says Peter W. Singer, "and likely the other 3% have too, they just don't know it." Such is the less-than-rosy picture painted by Singer -- director of the Center for 21st Century Security and Intelligence at D.C. think tank Brookings Institution and bestselling author of MOREJan 6, 2014 12:13 PM ET
A hacker calling himself "Mauritania Attacker" listed the names and some account information (no passwords) of 15,000 Twitter users. It's probably a good idea for users to clean up their apps.
FORTUNE -- A hack of Twitter exposing thousands of usernames and associated third-party access tokens appears not to have done any real damage, but it has made a lot of people realize how many third-party apps they have authorized, inspiring MOREDan Mitchell, contributor - Aug 20, 2013 3:28 PM ET
Kevin Mandia, who uncovered Chinese hacking, describes how he stumbled onto one of the largest domestic security breaches ever.
FORTUNE -- When 42-year-old Kevin Mandia went public last February with a 60-page report detailing the Chinese theft of American trade secrets, the move propelled his cybersecurity firm Mandiant to the forefront of a national security fire storm.
The story of how Mandia discovered one of America's largest security breaches ever -- and MOREJP Mangalindan, Writer - Jul 24, 2013 7:34 PM ET
Are China's hacker attacks and its anti-Apple campaign both preludes to a trade war?
FORTUNE -- Hillary Clinton and Admiral Mike Mullen. The nuclear weapons labs at Los Alamos and Oak Ridge. The U.S. Departments of Homeland Security, State, Energy and Commerce. The Wall Street Journal and the New York Times. Lockheed Martin, Dow Chemical and Coca Cola. Adobe, Yahoo and Google
That, according to an alarming (and alarmingly hawkish) article in the Wall Street Journal's weekend edition, is a partial MOREPhilip Elmer-DeWitt - Mar 31, 2013 8:02 PM ET
The programming platform Oracle inherited from Sun continues to plague Apple
FORTUNE -- "Java's not worth building in," Steve Jobs told the New York Times' John Markoff in 2007. "Nobody uses Java anymore. It's this big heavyweight ball and chain."
To Jobs' regret, Java did not disappear. The write-once-run-anywhere programming platform that Sun Microsystems developed and Oracle (ORCL) inherited continues to drag Apple (AAPL) down.
On Tuesday, with foreign hacker attacks on U.S. MOREPhilip Elmer-DeWitt - Feb 20, 2013 6:30 AM ET
For reasons unclear, the online store was not responding Wednesday morning
[UPDATE: As of 11:10 a.m. EST the store seems to be functioning properly. No new products that I can see. Never did get an explanation from Apple PR.]
[UPDATE 2: As of noon EST, the site seems to be misbehaving again. Still no word out of Apple.]
[UPDATE 3: Reader Mehdi Daoudi of Catchpoint Systems reports that the site had fully recovered MOREPhilip Elmer-DeWitt - Aug 17, 2011 9:51 AM ET
With hackers running riot on the Internet, here's how you can get paid to stop them.
By Alex Konrad, contributor
FORTUNE -- Don't let the headlines about New Corp.'s (NWSA) recent phone follies give you the wrong idea about hacking: Cyber crime is only getting more complex and dangerous, but it is creating new jobs for people who want to fight it. Recent high-profile hacks of government sites, Citigroup (C), and Sony MOREJul 22, 2011 5:00 AM ET
The vulnerability of 225 million iTunes credit card accounts has been grossly exaggerated
The headlines over the July 4th weekend were pretty scary.
Wall Street Journal: "Computer-Hacking Group Targets Apple In Latest Attack"
Financial Times: "Hackers Claim Attack on Apple Server"
Gizmodo: "Apple Is Latest Company To Feel the Might of AntiSec's Hacking Power"
Coming less than a month after Steve Jobs unveiled Apple's (AAPL) iCloud project, the reports had a predictably unsettling effect.
"WOW," wrote MOREPhilip Elmer-DeWitt - Jul 4, 2011 8:29 AM ET
|What stumps Warren Buffett? Minimum wage|
|Water becoming more valuable than gold|
|GM's $1.3 billion recall cost wipes out profit|
|Will 7 Apples a day keep the bears away? - The Buzz|
|Ex-Wal-Mart CEO Duke retired with $140 million|