IOCTA Report: Data Breaches are increasing drastically.

The IOCTA, or the Internet Organised Crime Threat Assessment is an annual document put together by Europol (the European Police Office) that aims to inform decision makers on where the biggest cybersecurity threats lie. Covering threats to both private industry and non-industry citizens within the EU, thee document is self-described as "forward-looking" and it offers "analyses of future risks and emerging threats."

The latest document, the IOCTA 2015, is a pretty good gauge of what we should be looking out for and it's important that we (those in the EU in particular) consider its findings in future. You may not have time to go through the entire document, though, which is why we've picked out the need to know parts of it, as summarised in the sections below.

The Key Findings of IOCTA 2015

The key findings of this year's report made it clear that cybercrime is an ever-growing and ever-changing structure. Europol notes that even as malware engineers end their support of "old school" banking Trojans (Zeus, Citadel and Spyeye are given as examples), replacements have quickly cropped up, with the likes of Dyre and Dridex being described as the "new generation of malware". The use of ransomware (software designed to block access to a system) that incorporate encryption and malicious Remote Access Tools (RATS) is also on the rise.

Furthermore, as retailers make an effort to protect themselves against card skimming and other card-present commerce, malicious people have only begun to exploit online storefronts. Europol confirms that card-not-present payment fraud is increasing and that businesses are taking more measures to prevent card-present fraud (take a look at ZeroRisk PINpoint), but the agency stresses that "malware attacks on ATMs are still evolving", so we shouldn't take our eye off the ball.

Another key finding is that publicly disclosed data breaches are often followed up by credit card fraud, phishing and other security issues as the stolen information floods online channels, leading to a sort of double-punch. Social engineering is still a threat too, with people still being manipulated (via phishing or conversations in real life) for account info.

Key Statistics from IOCTA 2015

Below several breach categories can be found, along with some key stats.

1. Payment Fraud: In the EU last year, ATM-related payment fraud decreased by 26% though takings from it rose by 13% as criminals began to move their operations to countries in the Americas and Southeast Asia (e.g Indonesia and the Philippines) in order to get higher takings from use cloned or 'compromised' cards. They do this as chip and pin protection has not been "fully implemented" in these places yet and the weaker security makes it easier for them to conduct their criminal activity. As for card-not-present transactions, Visa and MasterCard have reported that 67% and 69% of their losses (respectively) in 2014 came as a result of online/postal/telephone orders.
2. Malware: Malware comes in many different forms but a big one to be wary of is CryptoLocker (ransomware) which is the "top malware threat affecting EU citizens". It has infected over 250,000 EU computers since September 2013 and it's described as a "notable threat" to EU financial institutions. Then there's Dyre, a malware that steals information; it has targeted over 1000 banks and financial institutions since 2014, with Europol saying that "some campaigns use additional social engineering techniques to dupe their victims into revealing banking details".
3. Social Engineering: In 2014, the effectiveness of phishing campaigns rose and Europol states that of the 23% of those who receive phishing messages will open them and 11% will open attachments. Spam levels are also at their lowest since September 2003 but CEO fraud (when CEO or CFO of a company is impersonated to gain access to their bank account) "is now leading to significant losses for individual companies".
4. Data Breaches and Network Attacks: The document notes that 2014 was the "year of the data breach", saying that 25% were due to crimeware, 20% were due to "insider misuse" and 15% were because of physical lefts or losses. One third of the breaches occurred because of "miscellaneous human errors, such as sending sensitive information to the wrong recipient or accidentally publishing sensitive data to public servers".

What Can Your Organisation Do to Prevent Breaches?

While the IOCTA offers a great deal of key recommendations such as reporting breaches and attacks to the police or other appropriate agencies, to prevent these breaches occurring in the first place, it's advised that you make use of security testing.

There are several different types of tests. On the one hand, there are penetration tests (also known as "ethical hacks" or "ethical hacking") which use the same methods and means a malicious user would to gain access to your network and steal sensitive data. This allows the pen-testing organisation to see whether your security countermeasures are up to scratch and it allows you to figure out what needs to be done to improve them. And on the other hand there's vulnerability testing which identifies weak spots in your security infrastructure.

Security tests are useful when it comes to protecting yourself against future breaches or breach attempts, as they help you limit what (if anything) the malicious user can access and they also allow you to take steps towards better IT security, patching vulnerabilities and preventing breaches from happening.