EMV chip card protections at the point of sale and a general corporate awareness of card data security are helping lower the number of data compromises worldwide. But fraudsters are moving quickly to bigger targets.
Corporate and internal network attacks showed an increase to 40% in 2015, up from only 18% the previous year, according to the 2016 Global Security report from Chicago-based Trustwave.
Because the U.S. made its initial big push into use of EMV chip cards through an October 2015 liability shift, the numbers reflect that criminals were aware of those changes and began moving on to other targets, said Karl Sigler, threat intelligence manager at Trustwave.
In particular, point of sale data compromises fell to 22% of 2015 incidents, compared to 40% the previous year, and e-commerce compromises dipped to 38% from the 42% of 2014.
"From a payments perspective, the most significant finding is that e-commerce and POS fraud were really down," Sigler said.
But North America remained a key target for POS and other attacks, with 45% of the worldwide incidents taking place there.
In compiling data for the report, Trustwave conducted hundreds of data compromise investigations across 17 countries; logged billions of security and compliance events daily across its seven security centers; examined data from tens of millions of network vulnerability scans and billions of e-mail and Web security scans.
Organizations are aware of the trend of criminals attacking their networks through remote access software and are making the needed changes to strengthen security, Sigler said. "The data shows that rather than just making security an earmark in the IT budget, organizations are making security a priority," he added.
Many organizations are realizing that simply buying security appliances does not, in and of itself, strengthen security, Sigler said.
"Actually hiring skilled people that know how to implement security properly is the only way to close the gap," he said. "You have to set up protective controls, but also set up monitoring and protection."
Illustrating this new security mindset, 41% of data compromise attempts were self-detected by organizations, compared to only 19% the year before, Sigler said.
It is critical that organizations be able to detect problems, the report indicated, as the time between the intrusion and detection averages 15 days when self-policed, compared to 168 days when an organization is informed of a breach by outside organizations such as card networks or law enforcement agencies.
Security experts have acknowledged that many organizations create gaps or seams in their networks by piecing together security software and devices.
Of all the security measures a company can employ to fill those network gaps, it is probably most critical to establish a network patching policy to fix vulnerabilities as quickly as possible, Sigler said.
Fraudsters can release an exploit kit the same day as a patch comes out, disguising their malware as part of the patch in hopes that individuals and organizations will open those files and release malware.
"Criminals are focusing on company clients and end users rather than the network servers themselves," Sigler said. "Defining a patching policy would help a lot of organizations."
Card data remains the key prize for criminals, as more than 60% of attacks focused on card track data or card-not-present transactions. In e-commerce, 53% of attacks went after card data, while 13% targeted proprietary data and 3% sought financial credentials.
The hospitality industry suffered the highest rate of corporate or network attacks at 55% of its compromises, with 45% at the industry's POS networks. Hotel chain breaches during 2015 led to those high numbers, with 64% of those incidents seeking card data, and 18% after financial credentials, the report said.
The advancement of mobile transactions and in-app payments will likely produce a spike in data compromises, as 97% of the mobile apps that Trustwave audited in the past had "some sort of vulnerability," Sigler said. "It is coming as a result of app developers rushing products to market."