Cyberespionage is usually considered a threat to government agencies and large corporations such as defense contractors and banks. But a new Verizon report on data breaches finds that cyberspies are going after small organizations with the same enthusiasm they once reserved for big outfits.
It's A Small Cyberworld
Not surprisingly, 95% of the state-affiliated attacks aimed at stealing intellectual property, which included classified information, trade secrets and technical resources, originated from China last year, according to the 2013 Data Breach Investigations Report. No organization, no matter how small, was safe.
"The big surprise for us was that there were a lot of small organizations being targeted for cyberespionage," Jay Jacobs, senior analyst with the Verizon RISK team, told ReadWrite. The targets included manufacturing companies, computer and engineering consultants and professional services firms that were "relatively small, even under 10 employees kind of small."
The attackers went after small outfits using the same tactics waged against big companies. In a way, the hacker strategy parallels the way investigators go after the small players in a criminal enterprise, hoping to flip them in order to implicate higher-ups. Only in this case, the hackers are frequently targeting small companies to lay hands on the trade secrets of their larger partners.
Roughly one in five cyberattacks in 2012 were to steal intellectual property in order to further a country's national and economic interests. The most common mode of attack was spearphishing, which involves sending an email disguised as coming from a colleague of the recipient. The message typically contains a malicious link or attachment.
Chinese hacking of American computer networks has placed a damper on relations between China and the Obama administration, which has demanded the country curtail its hacker army. On Monday, Joint Chiefs of Staff chairman, Gen. Martin E. Dempsey, and Gen. Fang Fenghui of China met to discuss cybersecurity.
Despite all the attention, cyberespionage was a distant second in terms of attacker motivation. Three quarters of data breaches committed last year was for financial gain, with the remaining 5% a result of hactivism, the report found. Verizon confirmed a total of 621 data breaches and more than 47,000 reported "security incidents," which included denial-of-service attacks.
Among the companies that suffered data breaches, 37% were financial services firms, 24% restaurants and retailers, 20% manufacturers, transportation organizations or utilities, and the remainder classified as "information and professional services firms." Malware was used in 40% of breaches. Three quarters of the compromises involved exploiting weak or stolen user names and passwords.
Discovering data breaches was not easy for most organizations. Verizon found that the time from compromise to discovery took months, and sometimes years.
Verizon worked with 18 organizations worldwide in gathering data for the report. The groups included national computer emergency response teams and law enforcement agencies.
No one found any cutting-edge methods used by attackers to break into networks, so organizations can go a long ways toward protecting themselves by focusing on the basics, such as stronger passwords and educating employees about bogus email.
Image courtesy of Shutterstock