Cybercrime is always changing. Despite new developments in cyber security and increases in security budgets, the five years have seen an uptick in major security breaches.
Companies – and even consumers – are creating, storing, and utilising data at unprecedented rates. And it is data that cybercriminals are after, yet many enterprises continue to allocate the bulk of their security technology budgets to network and device security rather than data protection.
In fact, research shows that companies allocate just 1% of their total security technology spend to data protection measures. Here’s a look at the state of cybercrime over the past five years, and a look ahead at where we’re going.
2010: Nearly half of security technology spend allocated to network security
In 2010, companies spent nearly half of their security technology investment (44%) on network security. In that same year, 761 major data breaches were recorded, compromising 3.8 million records.
Physical tampering, spyware, and data-exporting malware were the top three attack methods, yet little spend was dedicated to protecting the very data that serves as the target for so many attacks.
Less than a fifth (19%) of security spend was dedicated to database security, 14% to application security, another 14% to endpoint security/anti-virus, 10% to identity management, and just 1% to data protection.
2011: Stolen credentials emerge as a top mode of attack
In 2011, spyware remained a top mode of attack, joined by brute force and the use of stolen credentials. There were a multitude of notorious cybercriminals who emerged as serious threats to companies like Sony Pictures, the Massachusetts Institute of Technology (MIT), and others in 2011.
Yet companies continued to invest most of their security technology spend to network security (39%). In 2011, 855 major data breaches were recorded, compromising 174 million records, a marked increase over 2010 statistics.
Companies saw a slight increase in spend dedicated to database security in 2011 (21%), while spend on application security and endpoint protection/anti-virus remained stagnant at 14%. Despite the massive increase in attacks through the use of stolen credentials, companies continued to invest just 1% in data protection.
2012: Network security continues to receive the bulk of security technology spend
In 2012, spyware and the use of stolen credentials remained among the top three methods of attack, joined by backdoor exploitation.
In fact, 2012 was the year in which the now widely known hacking team first gained recognition for its Remote Control System (RCS), a sophisticated spyware program marketed and sold exclusively to governments and claimed to be untraceable.
Companies experienced a slight decrease in the number of data breaches from 2011, with 621 major data breaches recorded compromising 44 million records.
Companies increased their total spend on network security in 2012, allocating 43% of their total security technology budgets to network security. Other spend remained largely similar, with a slight decrease in spend dedicated to identity management.
More than a fifth (21%) of total security spend went to database security, 15% to application security, 13% to endpoint security/anti-virus, 8% to identity management, and again just 1% to data protection.
2013: Use of stolen credentials becomes the top mode of attack
In 2013, attackers used stolen credentials to carry out data breaches more frequently than any other method, with data-exporting malware and phishing rounding out the top three modes of attack.
There was a marked increase in both the number of major data breaches recorded and the total number of records compromised occurred in 2013 – with 1,367 major breaches resulting in the compromise of 822 million records, including the well-known Target data breach which compromised as many as 70 million records alone.
Still, companies dedicated 40% of their total security technology spend on network security, while 21% went to database security, 16% to application security and 12% to endpoint security/anti-virus. Still, just 1% of total security spend was dedicated to data protection, despite the marked increase in stolen records and data theft.
2014: Number of data breaches continues to rise dramatically
In 2014, stolen credentials remained the top mode of attack used by cybercriminals, followed by RAM-scraping malware and spyware. Sony experienced another major breach in 2014, revealing more than 47,000 Social Security numbers and other valuable sensitive data.
Overall, companies experienced another dramatic rise in the number of major data breaches, with 2,122 major recorded breaches compromising 700 million records.
Even with a marked increase in the number of data breaches and continued data showing that stolen credentials are a frequently used mode of attack, companies failed to shift their security spend accordingly.
In 2014, 38% of security technology spend was dedicated to network security, 18% to endpoint security/anti-virus, 16% to application security, another 16% to database security, and 13% to identity management. Data protection remained the lowest spending category at only 1% of total IT security technology spending.
2015: Cybercrime continues to grow in reach and sophistication
The attacks have grown in sophistication as cybercriminals use new tools and malicious programs to infiltrate corporations and exfiltrate sensitive data that includes personally identifiable information (PII), protected health information (PHI), and payment card industry (PCI) records as well as intellectual property and other confidential documents.
Cybercriminals have grown more creative, using stolen PII from previous large data breaches to commit fraud and identity theft.
For example, in May the IRS reported that cybercriminals used one of the IRS’s online services to obtain tax return information for more than 100,000 households in the US. The cybercriminals used stolen PII to gain unauthorised access to the tax-agency accounts. Around 15,000 fraudulent refunds were issued as a result.
The large leak of PII from high-profile breaches such as Target and Home Depot places consumers at risk for identity theft and fraud, yet the corporations are the ones responsible for losing consumers’ PII.
>See also: How do you solve a problem like cybercrime?
If more stringent data protection technologies and strategies were put in place, these incidents could have been mitigated and contained to a much smaller scope.
Cybercriminals now run a fully monetised operation and will not relent in their attacks on corporations. However, organisations can prevent these attacks from succeeding if they turn their current cyber security strategy upside down and start focusing on data protection technologies and strategies rather than network security and traditional anti-virus.
Today’s technology is advancing at a rapid rate as new ways to leverage cloud applications, mobile devices and complex systems continue to change and evolve. The ways people and organisations use and access data also continue to change, as do cybercriminals’ attempts at trying to obtain and exfiltrate data.
The only factor that hasn’t changed is that sensitive data is vulnerable and must be secured with data protection technologies and policies that follow corporations’ sensitive data while it’s in use, in transit and at rest.
So far, organisations haven’t invested in those type of protective technologies and have instead focused on perimeter-based security. As long as this methodology stands, data will continue to be at risk.
Sourced from Pete Tyrrell, COO, Digital Guardian