Many security breaches discovered months later
When data becomes threatened, a timely response is critical. However, recent online security findings demonstrate that many breaches are not discovered until months after they have taken place. A new survey from Verizon concerning the methods and effects of corporate data breaches found that over half of incidents took months to discover, going unnoticed until strange activity led to inquiry long after the initial incident. This lack of knowledge means that, at this moment, it is impossible to know how much data is currently under threat.
The survey's authors found it unfortunate that the time to breach discovery was so long, acknowledging that between several months and a year is a long time for sensitive information to be in the hands of criminals. The amount of time to discovery did not, however, see an unusual spike for the latest survey, instead roughly on par with the numbers from previous years' surveys.
The survey covered a wide profile of businesses, from financial institutions, to manufacturing to retail. All proved to be vulnerable to data loss, though the financial sector attracted the most incidents, and information and manufacturing lost the most records in total. The information exposed included credit card details and personal information, as well as trade secrets, copyrighted company documents and classified internal documentation.
The manner in which attackers compromised the accounts was another key survey finding. In 29 percent of incidents, weak login information by a legitimate user was to blame. When users log in to a system with weak passwords and security questions that are the system defaults, no malicious software is needed for attackers to make their way into a system. Users maintaining better passwords with password manager software are better protected against guessing games with data thieves.
Not all data thefts are met with slow responses. The Oregon Supreme Court recently praised the actions of Providence Home Health Services in countering its own data breach. The court dismissed a suit against the healthcare provider, according to law firm Davis Wright Tremaine LLP. The company poured time and money into making sure the effects of the theft were minimized. Sadly, the Verizon survey responses paint Providence's response as the exception, rather than the rule. If businesses do not know that their data has been removed until months after the fact, a prompt response is impossible.