Are threat researchers becoming jaded at the rising number of data breaches and threats discovered? At Symantec the answer appears to be yes.
When the company released its annual Internet Security Threat Report today it noted it had discovered more than 430 million new unique pieces of malware in 2015, up 36 percent from the year before.
A record-setting nine so-called mega-breaches of more than 10 million records were acknowledged — one of them involving 191 million U.S. voter registration records.
“Perhaps what is most remarkable is that these numbers no longer surprise us,” the report says.
The vendor is more alarmed about the fact that security researchers don’t have full insight into the size of the problem.
“In 2015, more and more companies chose not to reveal the full extent of the breaches they experienced,” says the report. “Companies choosing not to report the number of records lost increased by 85 per cent.”
Official report add up to 429 identities exposed last year — a jump of 23 per cent over 2014. But because of some companies either refuse to publicly state– or don’t know — how many records were exposed Symantec guesses the real number more than half a billion.
“The fact that companies are increasingly choosing to hold back critical details after a breach is a disturbing trend,” says the report. “Transparency is critical to security. While numerous data sharing initiatives are underway in the security industry, helping all of us improve our security products and postures, some of this data is getting harder to collect.”
The report comes as the federal government is seeking input from the public on data breach notification regulations affected organizations will have to follow when changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) come into effect.
Under current law organizations can voluntarily notify the federal privacy commissioner of a breach. But under the Digital Privacy Act passed last year organizations covered under PIPEDA will have to notify the commissioner of material data breaches — as well as affected persons.
Whether organizations or the privacy commissioner are obliged to make a public statement including numbers could be included in the regulations. Organizations have until May 31 to get their submissions in to the data breach consultations protection directorate of Innovation, Science and Economic Development Canada.
The Symantec report also indicates that so far Canada continues to remain low on the target list of attackers.
For example, this country was fourth in the number of ransomware attacks a day detected by Symantec (1,641, or 3.8 per cent of all detetections), compared to over 24,000 a day in the U.S. Germany was second with just under 6,000 a day.
Canada was the fifth most common target of social media scams, accounting for 4.4 per cent of scams detected. The U.S. was first with just over 25 per cent.
The Symantec report says at least one zero day vulnerability was discovered a week in 2015 (about 54 over the year). By comparison between 2006 and 2012 the number of zero-days found a year varied between eight and 15.
“It shows that zero day vulnerabilities still remain very common, very popular, especially for cyber criminals who want to attack businesses to get into their environments,” Satnam Narang, a Symantec senior security response manager, said in an interview.
It also means for CISOs that patch management has to a priority, he said. “You want to make sure you’re covering not only known vulnerabilities, but unknown vulnerabilities.” Endpoints also need to be protected with anti-virus that has heuristic technology that can ID vulnerabilities before they are discovered, he said.
Symantec also found that Web sites are still putting users at risk because of unpatched vulnerabilities. Nearly 75 per cent of all legitimate websites have unpatched holes, the report says. Sixteen per cent of legitimate websites have vulnerabilities deemed ‘critical,’ which means it takes trivial effort for cybercriminals to gain access and manipulate these sites for their own purposes, says the report.
“It’s time for website administrators to step up and address the risks more aggressively,” the report urges.
Finally, there’s more bad news: Not only is no business without risk. if you get attacked once odds are it will happen again. In 2015, a government organization or a financial company targeted for attack once was most likely to be targeted at least three more times, says the report.
Overall, large businesses that experienced a cyberattack saw an average of 3.6 successful attacks each.
“As an industry, we need to start moving into a more investigative, clinical-study mindset where we are constantly researching the habits or artifacts that cause the ‘digital diseases,'” the report concludes.
“Cybersecurity is not just about employing the right kind of technology, it also requires good digital hygiene on the part of everyone; both at home, and in the office. Education and greater awareness of cybersecurity issues will help everyone to become more digitally healthy. By being aware of just how many risks you face, you can reduce them, and learn how to recognize symptoms, and diagnose ‘digital diseases’ before they put your data, and your customers’ data at risk.”