Cybercriminals more patient, eyeing bigger targets: Symantec
By Gabey Goh July 29, 2014
- Personal assistants and PR the two most targeted professions
- In Malaysia, healthcare, transport and utility sectors being targeted
IN 2013, there was a 62% increase in the number of data breaches globally from the previous year, resulting in more than 552 million identities being exposed, according to the latest Symantec Internet Security Threat Report.
The size and scope of data breaches also exploded, with Symantec dubbing 2013 'The Year of the Mega Breach,' putting the trust and reputation of businesses at risk, and increasingly compromising consumers’ personal information, from credit card numbers and medical records to passwords and bank account details.
Each of the eight top data breaches in 2013 resulted in the loss of tens of millions of data records. By comparison, 2012 only had a single data breach reach at that threshold.
Symantec vice president for Asia South and Korea, Eric Hoh, said that the most surprising finding from the report was the willingness of cyber-attackers to be a lot more patient, waiting to strike only when the reward is bigger and better.
“There is a shift from just machinegun-style attacks to highly-targeted ones. With cybercriminals constantly innovating and enhancing their modes of attacks, companies globally and in Malaysia cannot afford to let their guard down,” he said at a media briefing in Kuala Lumpur.
“The consequences of complacency can be far-reaching, causing commercial and reputation damage,” he added.
Targeted attacks were up 91% globally in 2013 and lasted an average of three times longer compared with 2012. Personal assistants and those working in public relations were the two most targeted professions – cybercriminals use them as stepping stones toward higher-profile targets like celebrities or business executives.
The most common method is via a phishing email, with the subject line ‘Order Payment’ directed at the personal assistants.
Nigel Tan, director of Systems Engineering at Symantec Malaysia, shared an incident which occurred in 2013 involving a French company, where the assistant received an email about an invoice, asking her to download a file.
A security-conscious employee, she didn’t want to open the file, and later got a phone call from what seemed like an angry customer about it.
“The phone call about the invoice included threats about legal action, and the assistant – not wanting to get into trouble – conceded, and did as requested. Scare tactics are increasingly being used and companies must be mindful that cybercriminal tactics don’t only encompass a single vector of attack,” said Tan.
The Symantec Internet Security Threat Report also found that Malaysia’s Internet security profile declined last year and was ranked 33rd among countries when it came to Internet security threat activities.
Tan said this was a clear indication that cybercriminals have not slowed down.
“In fact, they are increasing the efficiency of their campaigns and have their eye on small and medium businesses (SMBs) with fewer than 500 employees, in particular the healthcare, transport, utility sectors in Malaysia which ranked in the top three for phishing and malware attacks,” he said.
Tan noted that one possible reason for these particular sectors being popular was their relative level of concern or focus on security compared with other sectors such as finance and telecommunications.
That being said, large organisations remain under threat and cannot afford to be lax on security, especially in Malaysia, as the report found that 60% of targeted attacks here were aimed at large organisations compared with the global percentage of 39%.
“What this tells us is that cybercriminals, at least for Malaysia, tend to target larger organisations,” said Tan, adding that the percentage of targeted attacks aimed at non-traditional services such as hospitality and entertainment stood at 58.97%.
He emphasised that the statistics did not reflect the security defences of large organisations, but rather cybercriminals choosing to target them directly.
Symantec Malaysia principle consultant David Rajoo said that in other parts of the world, there is a growing trend for attacks to be centred on smaller organisations, as a pathway to getting access to larger organisations.
“In this part of the world, it could be due to the cybercriminals deeming directly targeting large companies as a more worthwhile way to spend their efforts,” he said.
Rajoo said that the potential for huge payouts means large-scale cyber-attacks are here to stay, adding that companies of all sizes need to re-examine, re-think and possibly re-architect their security posture.
“What is interesting is the targeted attacks became slow and low as cyber-attackers increased the number of campaigns they ran, but decreased the emails used and the number of people they attacked in each campaign.
“It’s almost as if they brought in efficiency experts to improve their attack campaigns,” he added.
While the increasing flow of data from smart devices, apps and other online services is tantalising to cybercriminals, there are steps businesses and consumers can take to better protect themselves – whether from a mega data breach, targeted attack, or common spam.
Symantec recommends the following best practices:
Know your data: Protection must focus on the information – not the device or data centre. Understand where your sensitive data resides and where it is flowing to help identify the best policies and procedures to protect it.
Educate employees: Provide guidance on information protection, including company policies and procedures for protecting sensitive data on personal and corporate devices.
Implement a strong security posture: Strengthen your security infrastructure with data loss prevention, network security, endpoint security, encryption, strong authentication and defensive measures, including reputation-based technologies.
Be security savvy: Passwords are the keys to your kingdom. Use password management software to create strong, unique passwords for each site you visit and keep your devices – including smartphones – updated with the latest security software.
Be vigilant: Review bank and credit card statements for irregularities, be cautious when handling unsolicited or unexpected emails, and be wary of online offers that seem too good to be true – they usually are.
Know who you work with: Familiarise yourself with policies from retailers and online services that may request your banking or personal information. As a best practice, visit the company’s official website directly (as opposed to clicking on an emailed link) if you must share sensitive information.
To access the full Symantec Internet Security Threat Report, click here.