Data breaches are a hot issue this winter for retailers and consumers, with Target (TGT -0.50%) and Neiman Marcus working damage control -- and with businesses across industries trying to avoid being next. While Target's breach dominates the news for its sheer size, with up to 110 million customer records affected, other breaches haven't been made public or even discovered yet, and the number of confirmed data breaches is growing.
The problem isn't limited to stories that make the news. The Verizon (VZ 2.98%) Research, Investigations, Solutions, and Knowledge (RISK) Team, one of the world's leading data forensics groups, has gathered data breach statistics from agencies around the world for nearly a decade. The team's May 2013 report on 2012 data chronicled 621 confirmed data breaches and at least 44 million compromised records, bringing the 9-year total for RISK's studies to more than 2,500 breaches and more than a billion records compromised.
The obvious questions, then, are why so many data thefts are happening and how can they be stopped? Common wisdom holds that data thieves — who are usually after financial information -— are incredibly wily and so sophisticated that they are virtually unstoppable. But discussions with security and risk experts reveal that while data criminals may be crafty, most businesses and consumers don't go out of their way to make data theft difficult. In fact, the way human beings are "wired" to assess and act on threats may be the biggest obstacle to keeping our data safe.
Verizon RISK Team director Bryan Sartin spoke to The Motley Fool about data safety for this article. What emerged from that conversation is a picture of mostly easy-to-prevent but hard-to-detect incidents that happened when thieves exploited inconsistent or outdated security measures — usually weak or obvious system passwords.
"Over the last eight years," Sartin said, "in something like 4 out of 5 actual verifiable data breaches, default or easily guessable credentials set the stage for the point of entry. It's a staggering number."
Once a breach happens, especially if it's not a physical theft of equipment but a remote network attack, things get dramatically harder to sort out. It can be months before someone (usually not the victim) detects the intrusion. In most cases the extent of the damage is never clearly understood. According to RISK's 2013 Data Breach Incident Report, "only 15% of reported data breaches in 2012 had a complete and reliable account of compromised records."
We aren't scared enough of abstract dangers
While retailers, banks, consumer advocates, and lawmakers sift through issues such as cost, liability, and regulation, there's one basic but important factor at the heart of the problem — the human inability to understand threats accurately and act accordingly. It turns out that people are not very good at understanding abstract threats, and data is nothing if not abstract for most of us. For our information to be more secure, that "risk-perception gap" must be factored in.
"The definition of risk is the probability of something bad happening," said David Ropeik, Harvard instructor and author of How Risky Is It, Really? Why Our Fears Don't Always Match the Facts. "Probability is calculable, bad is subjective. Risk perception is by definition a matter of feeling more than simple facts. And any risk that is conceptual is harder to take as seriously."
For example, an Associated Press-GfK poll taken in January found that more than half the consumers surveyed were "extremely concerned" about the security of their personal data in the weight of the data breach headlines. But less than half of those polled had even bothered to check their credit report, request new cards, or register for credit-monitoring services.
"That's lip-service worry," Ropeik said, "whereas if somebody had snuck up behind them and stolen their wallet out of their pocket and they saw them running down the street, the identity theft would have felt very different. Same actual thing, only it happened as an abstraction. It's less compelling emotionally. The 'do I feel afraid?' feeling, is less urgent than, say, a snake at your feet or a man with a gun at your head, something that's concrete and tangible."
That lack of an immediate sense of danger affects the way enterprises (made up of humans, after all) assess risk, too.
"So many people think, even in the security space, that these crimes are all smash-and-grab, that even if you could see them you'd be helpless to do anything about them because they're complex and fast-moving," Sartin said. "But that's not the case at all. The crimes don't play out in minutes or seconds, as much as they do weeks, months, or years." In 2012, 66% of the breaches studied by RISK took months to uncover.
We don't realize when we've been hit
In fact, Sartin said, "on average, over the past eight years, it's seven months from the critical point of entry into the victim's network until the victim finds out." That's plenty of time for data thieves, who are most often part of criminal rings, to copy all kinds of data for resale, to install malware that compounds the damage done, and to wreak so much havoc that it may never be fully sorted out.
Sartin, whose team recently led an outreach for its major retail clients, said retailers as a group have a poor track record of detecting data thefts on their own.
"Across all industries, 69% of victims find out from a third party. But within retail, something like 95% find out from a third party. So what you see is that incident detection is terrible overall, but it's somewhat worse than terrible within brick-and-mortar retail. That was staggering to me when I saw that in the data."
Graphic: Author
We're inconsistent with safety measures
According to Sartin, many of these damaging data hacks could be prevented if companies applied what they already know.
"Most people understand what good security is. It's inconsistencies in the application of the basics like good password security [that are the problem]. Almost every company that's hit by the kind of data breaches that we're seeing — they have a company password policy, and a in a lot of their systems they enforce that policy effectively, they just don't enforce it consistently across all the systems that they have," Sartin said. "Most accounts meet the password standard for the company but not all, and it's that small subset that homes the wrong people in."
While Sartin declined to speak about any company specifically, the headlines offer plenty of examples of incomplete security leading to leaks. In January, Horizon BCBS New Jersey officials testified before a state senate panel that "most" of the company's computers were encrypted — although two stolen laptops containing data on 840,000 customers were not.
We ignore the obvious
Sartin says he works with lots of people who believe company insiders are the main threat to data security — after all, they have access to the networks. But DBIR stats show that in 2012, 92% of confirmed breaches were committed by outsiders, and that's consistent with DBIR findings over time. The vast majority of those breaches were not masterworks of elite-level hacking but low-difficulty attacks enabled by security flaws on the victim side. Sartin ties this back in to our tendency to look past security basics.
"Security people get so wrapped around the axle about RAM scrapers," he said. "The RAM scraper is not the problem. The problem is, how did the RAM scraper or malware get into the network in the first place?"
The answer, in the vast majority of cases, is through flawed or weak passwords and other credentials, Sartin said. One of the biggest issues Sartin sees is that companies often neglect to change the default passwords on programs they purchase.
"An application ships with a password, and the password is actually 'default' or 'password' or something like that -- really easily guessable default credentials, on applications that are posted out on the Internet.
"In other words a criminal might scan somebody's network across the Internet, and find that the Lotus Notes version XYZ is accessible on a certain IP address. You look up XYZ, download the vendor's manual right off the Internet and there's the default password. You just try logging in with it and bam, you're in. That's insane from a security perspective. You see that in the largest, most cyber-capable companies out there."
And if security is bad overall, it's worse in retail — even though retailers are a natural target for thieves looking to pick up consumer data.
In the case of the Target breach, security blogger Brian Krebs reports that hackers broke in through a third-party vendor who allegedly used free anti-malware tools licensed for individuals rather than a stepped-up real-time version for corporate users. Once the vendor was hacked, the thieves had access to Target's proprietary networks.
According to Sartin, this kind of scenario is all too common.
"With respect to brick-and-mortar retailers, 86% of the points of intrusion are through desktop sharing technologies. If simple two-factor authentication was used across the board on those technologies, 86% of those breaches wouldn't happen. It's security common sense."
As if that weren't bad enough, many people aren't even doing a good enough job with one-step passwords. Productivity app company Splashdata's annual worst passwords list shows that year after year, people rely on easily guessed passwords to protect their accounts. Why? Again, the human tendency to play down theoretical dangers is to blame.
"Everybody wants to enter 1234567 because they're lazy and the risk is abstract," Ropeik said. (And in fact, 1234567 moved up five places to the number 8 slot on Splashdata's 2013 list.)
What's the fix?
Improving data security naturally involves outwitting cyber criminals, but it also requires us to avoid outsmarting ourselves – and that means acknowledging the flaws in the way we evaluate threats.
"The inherently subjective nature of the way people perceive risk is built into our cognition. You can't change that," Ropeik said. "You can't make everybody perfectly rational. We need to recognize the risk that exists from people getting risk wrong."
So what blend of tech and psych might help us keep our data under wraps?
Steer people and systems to more secure passwords and protocols
At the consumer level, Ropeik says stricter password-security requirements could be used more widely.
"You can't join some programs where you have to create an account name if your password is not secure enough," he said. "The system rejects it. It says, 'No, that's not secure enough. Try again. Make it more complicated.' So the system is designed to make people be more secure."
Obviously, password security is a huge issue for companies as well. For enterprises, Sartin also recommends focusing on identifying and rooting out system vulnerabilities.
"I would say that in four out of five cases, almost all of these vulnerabilities could be prevented with basic vulnerability scans, and not just running vulnerability scans but actually reading what the scan reports tell you. Almost every kind, even a freeware vulnerability scan, will highlight these problems."
Update U.S. point-of-sale technology, but don't treat it as a magic fix
While the EU went to more secure chip-and-PIN debit and credit cards years ago, the U.S. is still using the cheaper and easier to crack magnetic stripe swipe cards. As Krebs, the security blogger, told The Motley Fool recently, chip-and-PIN won't solve retailers' problems entirely or immediately.
"Mag stripe data is where this memory scraping POS malware gets its information from. Until mag stripe is completely gone, unless retailers move to encrypting the card data that's flowing across their internal networks, they will continue to be a target for cyber crooks."
Get better at spotting network intrusions
Sartin wants to see more companies go on the offensive and get better about monitoring what's happening inside their own systems.
"In retail, 93% of all pieces of malware are manually planted by the perpetrator of the crime. The perpetrator made it in through the Internet, through their headquarters, or through their store infrastructure, all the way to ... where this data was hidden. And then they were able to install this thing. So the problem is the lateral movement factor. How can a criminal get around without getting noticed? And how is it that the victims don't see that? That is the big problem, not the malware itself," Sartin said.
"Don't sit back and wait for an intrusion detection system to go off inside your network to tell you you've got a problem. You've got to catch this thing during the pre-attack research phase, before a criminal gets into your network."
Remember the risk-perception gap
Humans are always going to rate immediate, adrenaline-generating dangers as more important than abstract, remote threats, even though the damage done by a single data thief can far outstrip the impact of a lone purse-snatcher. Ropeik said security plans have to take this into account.
"The risk perception gap is unavoidable, and systems have to be designed to encourage behavior that limits the vulnerability. It's not just a matter of a bunch of information and people will get smart and do it all on their own," Ropeik said. "We're pretty smart about why we get risk wrong. An abstract risk means we're not going to worry enough. Now what do we do about it?"
In other words, be consistent about implementing the basics, be on the lookout for outside intrusions, and use the most secure technology available. And find a way to make sure that no one in your system ever uses 'password' as a password. The risk is too great, whether we realize it or not.
