Cybercriminals are nothing if not persistent when it comes to data breach issues, and their field of motivation is broadening to encompass everything from old standbys like avarice and schadenfreude to new forms of social activism and ideological dissent. While it seems that the only constant in the world of cybercrime is change, there are a few features on that landscape that continue to defy that phenomenon.
One is the type of business most plagued by cybercriminals. Larger organizations continue to be one of the top targets, due largely to the high value of their data. According to a mid-year intelligence report by computer security provider Symantec, companies in the defense industry experienced the greatest number attacks, with an average of 7.3 targeted attacks blocked by the companies’ defenses each day. They were followed by companies in the chemical and pharmaceutical industries (with an average of 2.9 attacks blocked per day) and manufacturing concerns (1.5 attacks blocked each day, on average).1
In terms of the number of personnel, large companies with more than 2500 employees continued to be the most popular targets, accounting for 44 percent of all targeted attacks in the first half of the year, Symantec said. And it appears that many larger organizations hold no illusions about their own vulnerabilities. According to the results of a recent survey of 100 information security executives at companies with annual revenues in excess of $100 million, a third doubted that their organizations could fend off future attacks, and 84 percent said their companies were vulnerable to “advanced persistent attacks” – characterized as highly aggressive assaults launched by major criminal organizations and foreign governments.2
While high profile attacks and breaches dominate the news, cybercrime can and does occur on much more modest scales, and increasingly, to more modestly sized businesses. According to the Symantec report, more than a third of targeted attacks on businesses in the first half of 2012 were aimed at companies with fewer than 250 employees. That amounted to twice the percentage of attacks aimed at similar sized companies at the end of the previous year, Symantec said. In terms of the number of targeted attacks, the company said it blocked an average of 58 each day aimed at small businesses in the first half of 2012.
In 2009, businesses with 100 or fewer employees accounted for 27 percent of the 141 cases of data breach included in a study by Verizon and the U.S. Secret Service. By 2010, such small businesses accounted for 63 percent of the 761 cases in the study.3
The Rise of Hacktivism
According to the Verizon report, 98 percent of the breaches investigated originated from outside agents in 2011, up six percent from the previous year. Breaches that implicated internal employees came in at 4 percent, down 13 percent from the previous year. But it is the recent growth of hacktivism, which rose from a historically fringe element to a substantial force in 2011, that adds a new set of wrinkles to watch for in the fabric of cybercrime. Most hacktivist attacks in 2011 were conducted against larger organizations, whose higher profiles afforded the attackers a greater degree of notoriety. However, since the motivations behind this form of cybercrime range from ideological activism to sheer greed, hacktivism may find its way to organizations of all sizes.
The Stepping Stone Connection
In looking at reports such as those conducted by Verizon and Symantec, it appears that many cybercriminals are exploiting what are often perceived as comparatively lax security measures at smaller companies that often partner with larger companies. With data gathered from these smaller companies, it may be possible for attackers to penetrate the defenses of their larger corporate partners.
We Can’t Change the Wind…

At the end of the day, how does information gleaned from surveys and studies translate into the real world? For one thing, it demonstrates that the threat of a data breach is very real for companies of all sizes. For another, in an era of tight funding for IT security departments, it underscores the value of gathering good intelligence before committing limited resources.