The Symantec Internet Security Threat Report (ISTR) 2013 reveals how the threat landscape is evolving, compiling information from more than 69 million attack sensors in 157 countries around the world. This year’s report shows more targeted attacks, inceasing focus on smaller businesses, and the continued development of new threats.

Targeted attacks, hacktivism, and data breaches

Targeted attacks saw a 42 percent increase in 2012, to 116 per day on average, with a corresponding increase in data theft and incidents of industrial espionage. Attackers are changing their targets, as well. Small businesses make up a larger percentage of those targeted for attack then in 2011—a threefold increase–with 31 percent of all targeted attacks directed at companies with less than 250 employees. Attackers are finding valuable data to steal from small companies and fewer defenses in place to stop them. Manufacturing is now the most targeted business sector, making up 24 percent of targeted attacks. One of the most significant innovations in targeted attacks is the emergence of watering hole attacks. The attackers compromise the security of a website that an intended target is likely to visit, once the target visits the website their computer becomes infected with malware. This successful tactic, popularized by a group known as the Elderwood Gang, has infected up to 500 companies in a single day.

Over the past several weeks I’ve had the opportunity to present Symantec’s Internet Security Threat Reports to several of our customers.  It has been interesting to see the different reactions and feedback to various sections of the report, but one particular statistic in the report seems to consistently receive positive feedback and general agreement.

The statistic in question is from The Top Causes for Data Breach by Number of Incidents, 2011.  The specific statistic is that 34% of all incidents are due to Theft or Loss.   When I’ve discussed this particular statistic with customers, I have proposed that these incidents are entirely unnecessary.

At the root of nearly all of these types of incidents is a failure to properly implement, utilize, and enforce the judicious use of encryption on laptops, mobile devices, back tapes, USB storage, and other removable media.  If encryption is not in place on these devices and they are lost or stolen, most organizations have to assume that sensitive data was exposed and, depending on applicable laws and regulatory requirements report it as a data breach event.

The times when Mom and Dad left their young teenaged son at home was a perfect time to phone the friends and tell them the party’s at my parents’ house and to bring their own bottle, BYOB! Not thinking too clearly about the ramifications and risk associated to our home or personal belongings or even my parents getting sued by my friend’s parents. Those so-called friends would show up and inevitably things were broken and almost always things would come up missing. I would scramble to try and repair everything before my parents returned.

Our place of work is much like our home, and we invite friends or colleagues to bring their own mobile device to the party and consume some sensitive data, BYOD! They are intoxicated with the excitement of the ability to get their work data on their personally owned device and do not understand the implications of that data being removed from the house. What is the real impact to us and them? After all, it’s not like they are worried about their parents coming home.

A recent announcement by a large technology company that they’re not allowing use of iPhone Siri capability due to privacy and data loss concerns got me thinking about how far voice recognition technology has advanced the ability to use our voices, instead of typing, in a more fluent way to get technology to do something for us.  Voice technology, while it’s been around quite a while, has been a long time coming in a usable and seamless way. And technology like Apple’s Siri takes it to the next level by making it more ubiquitous. In this next instantiation of voice-driven workability, we now have a blending of mobile capabilities and cloud capabilities.  This combination offers a greater degree of flexibility and fluidity by extending the technology into the cloud and taking great advantage of honing the calibration of voice recognition on a dramatically large scale.

Can data breaches be stopped, really? This was the question posed by Larry Ponemon, chairman and founder of the Ponemon Institute, at the start of a panel discussion I attended at the RSA Conference last month. Experts on this panel seemed to agree on one answer – No.

The tongue-in-cheek response from James Christiansen, Evantix CEO and CISO, brought a room full of laughter when he said, “Yes, you just need to put the computer in a safe and bury it 30 feet underground.”

Jon Oltsik, an analyst at Enterprise Strategy Group, equated the situation to the war on drugs, “Border control may be able to capture some on the borders, but the problem continues to escalate and keeps getting bigger.”   John Townsend, Manager of Information Protection and Security, DTE Energy commented, “If we use the wall analogy, rather than having a brick fence what we now have is a chain link fence. While we have made some inroads, people are still not taking security seriously enough.”

With the end of 2011 upon us, one thing is sure: the mobile revolution is in full swing. Smartphones and tablets are everywhere.

In fact, according to the analyst firm Gartner, sales of smartphones will exceed 461 million this year – surpassing PC shipments in the process – and rise to 645 million in 2012. Combined sales of smartphones and tablets will be 44 percent greater than the PC market by the end of the year. Beyond 2011, Gartner says the rise in tablet use will jump to 900 million by 2016.

These devices are not just becoming mainstream, they are penetrating nearly every aspect of our lives. More importantly, for many the line between personal and business devices has been blurred, or erased altogether. More often than not, a single device is used for both personal and business activities, with Gartner also predicting that 80 percent of professionals will use at least two personal devices to access corporate systems and data by 2014.

Usually when the topics of security and coffee are raised in the same sentence, one of two thoughts comes to mind:

1. Very late nights in the past resolving a security incident
2. Stalking (i.e. hackers breaching free Wi-Fi hot spot services at local coffee shops)

I strongly believe there should be a third:

3. Leveraging a simple cup of coffee as a mechanism for breaking the ice and building a relationship with the leaders of business units within your organizations

Too many times I’ve walked in early to a customer meeting to find the IT Security group introducing themselves to the leaders of other departments within their own organizations for the first time.

This event is typically driven by an upcoming project to secure item “XYZ” which involves a new application or process.  Although this is a less than perfect situation, it is better than the alternative where the business does not consult IT security until the organization suffers a breach, possibly from this new project.

The enormous popularity of the iPad and other tablet devices signals a significant shift in how employees access sensitive information. IThe analyst firm IDC recently raised its forecast for the number of tablets that will be shipped this year by 17 percent, from 53.5 million to 62.5 million (click here to read the IDC press release). That’s in marked contrast to its gloomy forecast for PC shipments, which it predicts will grow by less than three percent this year. This signals a new trend for IT professionals, who are under increasing pressure to enable employees to use their tablets for business purposes. Symantec conducted an informal poll on its Facebook page, asking followers if they use their tablets for business use and what, if any, security measures are in place to prevent data loss. The answers were both alarming and not terribly surprising: 100 percent are using their tablets for business, and a significant majority (63 percent) acknowledges that doing so somewhat or significantly decreases security. However, most are not following security best practices to protect sensitive and confidential information. Helping our customers strike that balance between letting employees use their tablets for business without sacrificing security is the driving force behind an announcement we will make October 4th at our annual Vision Barcelona conference.

An end user survey on personal and business tablet trends

Like smartphones before them, tablet devices are making their way into the enterprise whether IT wants them or not.  They are yet another tool that keeps us connected both personally and professionally.

What’s unique about tablets is that they give us greater computing power on a smaller device that can be just as effective as a desktop or laptop computer. Tablets certainly increase worker productivity, but they can cause headaches for IT departments. Particularly, the comingling of our personal and corporate data is not without risk.

Symantec has developed a short survey to get tablet end users’ perspectives on this trend in business computing. We’d like to learn more about how you use your tablet for work, for personal use and how your employer is managing the growing use of tablets. The quick three minute survey can be found here.

Recently a friend of mine lost her smartphone. She sent out a message to all her friends in her social network about how she wouldn’t have a phone for a few days. She also did the right thing and went to her mobile carrier and reported it lost, turning the service off. Unfortunately though she wasn’t using any smartphone feature to find her phone or remote wipe it. But at least she was able to make sure it had no access to rack up her phone bill.

All good right?

Unfortunately, her smartphone did not require a passcode to access the apps. Ugh. I asked her about this and she replied back that it was no big deal because she didn’t have any really private information on there, and if so, the phone had no 3g access anymore to send anything off of it. Also her password would be required to sync the data off of it.