Credit card numbers, email addresses, and passwords were just some of the 174 million compromised records the Verizon RISK Team studied for their annual review of the nation's data security. Cybercriminals rarely have to rely on an "inside man," since 98 percent of the security incidents Verizon studied generated from external sources. Instead, Verizon's security experts claim, lax policies and confusion about technology leave many systems vulnerable to attack.
Verizon's security experts said that 97 percent of the data breaches they studied in 2011 could have been prevented through simple measures, such as:
- Installing firewalls on remote access systems. Inexpensive systems can detect intrusion attempts, shutting off access to anyone except trusted personnel.
- Changing default security credentials on routers and point-of-sale systems. An open router with a "LINKSYS" or "Wireless" ID doesn't just mean "free Wi-Fi." It signals thieves that a business owner hasn't taken the time to customize their security settings. Thieves can use unsecured networks to access point of sale terminals with easily-guessed passwords.
- Checking contractors' work. Verizon's researchers found that many companies outsourced their IT and networking tasks, but hadn't confirmed that security projects had been completed to industry standards. Likewise, many contractors leave clients in charge of switching passwords from default settings.
- Eliminating unnecessary data. Modern credit card processing systems don't require merchants to store full credit card numbers on their own networks. However, Verizon found many vendors keeping copies of full credit card numbers and security codes, outside of PCI DSS standards.
- Establishing and checking controls. Clear policies restricting password sharing and data copying can help reduce incidents of social threat agents, researchers said.
- Checking for threat indicators. Researchers recommend inspecting and replacing equipment that appears tampered or broken as soon as possible. Some criminals have attached skimming devices to retail credit card swipers, or installed key-logging software on office equipment without raising suspicion.
Though the Verizon RISK Team reported an uptick in high-profile data breaches sponsored by activists, the report indicates that many criminals rely on lax security among smaller targets. Retailers, hotels and food service vendors made up more than one-third of the locations where thieves accessed consumer credit card data and other information during 2011.