Cyber-criminals increasingly targeted retailers more than any other sector in 2012, Trustwave said in its latest report.
Targeted attacks against the retail sector accounted for 45 percent of incidents in Trustwave’s 2013 Global Security Report, released Tuesday. Food & beverage sector was the second most heavily targeted, with 24 percent, followed by hospitality with 9 percent, according to the report. The sheer volume of payment cards used in these industries made them obvious targets, Trustwave said.
The data from the 2013 Global Security Report draws on 450 actual incident-response investigations carried out by Trustwave on the clients’ behalf throughout the year. The report also includes 2,500 penetration tests against websites and Web applications.
Businesses in this sector are vulnerable to targeted attacks because of a “misconception” that they aren’t a target, Trustwave said. And since the business is focused on customer service, not data security, they generally don’t have the expertise to notice when they are under attack, the report found.
The vast majority of the data targeted in these attacks, at about 96 percent, came from customer records such as payment card data, personal identifiable information (PII), and email addresses, the report found. Only 2 percent of the targeted data involved intellectual property, and the remaining 2 percent included electronic protected health information and business financial account numbers.
Outsourcing was a key attack vector in almost two-thirds of security investigations, Trustwave said in its report. Nearly 63 percent of the investigations involved a third-party provider handling IT services for Trustwave’s clients, the report found.
“Many third-party vendors leave the door open for attack, as they don’t necessarily keep client security interests top of mind,” Trustwave said. In some cases, the breach occurred when the client did not realize there was a gap between what the provider was responsible and what remained under the client’s control. This gap was the most evident in the retail and food & beverage sectors, where small shops outsource some or all their IT needs, the report found.
“In some instances, victims were unaware that the third party was responsible only for a subset of security controls, leaving these systems open to attack,” the report noted.
It also took five weeks longer, on average, for organizations to spot a cyber-attack in 2012 than in 2011, Trustwave found. In 2012, the average time from an initial breach to detection was 210 days, with 64 percent of the victims taking over 90 days to uncover a breach. Even more surprisingly, 14 percent of the attacks in the report took two years to be detected. Less than a quarter of the intrusions were detected by the companies themselves, with 48 percent coming from regulatory bodies and law enforcement detecting 25 percent of the incidents.
“Due to advanced subterfuge techniques, malware often goes unnoticed by systems administrators despite being clearly visible to investigators,” the report said.
