Less information has been lost in recent years, but hackers are targeting smaller organizations, a recent report found.
Verizon's 2011 Data Breach Investigations Report found that the combined caseload for compromised records shared between Verizon and the U.S. Secret Service has dropped significantly over the last three years, from 361 million in 2008, to 144 million in 2009, to 4 million last year. However, while total volume of data loss is at an all-time low, the number of breaches that occurred in 2010 was the highest ever. The disconnect between breach incidents and the resulting loss of data is most likely due to a change in tactics by hackers, who are moving away from targeting large-scale operations. Instead, the cybercriminals are turning to smaller attacks of opportunity, and are using "relatively unsophisticated methods" to do so, the report found. More than nine in 10 data breaches stemmed from external agents, the report found, and 17 percent of the breaches implicated insiders. Half of the breaches were a result of some form of hacking. These results underscore the importance of installing strong information security measures throughout a small business - from the way merchants process payments to how an owner protects client and employee information saved on a company computer. "This year, we witnessed highly automated and prolific external attacks, low and slow attacks, intricate internal fraud rings, countrywide device-tampering schemes, cunning social engineering plots and more," said Peter Tippett, Verizon's vice president of security and industry solutions, in a news release. "And yet, at the end of day, we found once again that the vast majority of breaches can be avoided without extremely difficult, expensive security measures." Despite the decline of internal fraud, businesses should also take steps to adequately pre-screen employees, and run criminal background checks
when applicable. Doing so may help further reduce the incidents of insider hacking. Some of Verizon's suggestions for mitigating risk include eliminating unnecessary data, ensuring the company meets essential controls, running audits on the security of remote access services and web applications, keeping tabs on privileged activities and examining payment card processing devices for tampering. Not protecting employee and customer data can have serious repercussions, as the Texas Comptroller's office recently learned. The office recently announced that some Teacher Retirement System, Texas Workforce Commission and Employees Retirement System of Texas public records were accidentally published to a publicly accessible agency server, the Austin Business Journal reports. As a result 3.5 million Texans whose information was posted online are now being targeted by phone scammers.