New cyber-threats that go bump in the night
FORTUNE — It’s that time of year again: Spring is in the air, Monarch butterflies are traveling north, and Verizon’s (VZ) data breach report is making the rounds, freaking out already freaked-out chief information security officers around the globe.
The annual report compiles and analyzes more than 63,000 security incidents (as well as 1,300 confirmed data breaches) from about 50 companies worldwide. This year’s 60-page document identified nine main patterns of attack, including point-of-sale intrusions, denial-of-service attacks and acts of cyberespionage. According to Verizon, 94% of all security incidents in 2013 can be traced to these nine basic categories.
(As for the other 6% of threats facing corporate America, well, ignorance is bliss, right?)
Here, our summary of the most pressing security threats for major companies:
1. Web app attacks
Hands down, this is the most common type of data breach. According to Verizon’s report, web applications remain the “proverbial punching bag of the Internet.” How do the bad guys do it? Phishing techniques, installing malware, and, yes, correctly guessing the name of your first stuffed animal, your oldest cousin’s eye color and your nickname in sixth grade. There are ways to better protect Internet-facing applications, Verizon insists, and it starts with two-factor authentication.
Incidents of unauthorized network or system access linked to state-affiliated actors have tripled — that’s right, tripled — over the last year. Espionage exhibits a wider variety of “threat actions” than any other attack pattern, Verizon says, which means that once intruders gain access, they’re making themselves comfortable and partaking in all sorts of activities, from scanning networks to exporting data. Verizon warns that we can’t keep blaming China, though — at least not just China. About 21% of reported incidents are now being instigated from Eastern Europe.
3. Point-of-sale intrusions
Given the recent high-profile Target (TGT) breach, in which hackers gained access to the credit card numbers of some 40 million customers, this may seem like the attack pattern du jour. But Verizon claims point-of-sale intrusions have actually been trending down over the last several years. “Recent highly publicized breaches of several large retailers have brought POS compromises to the forefront,” the report’s authors write. “But at the risk of getting all security-hipster on you — we’ve been talking about this for years.” Still, retailers and hotel companies in particular need to be concerned about this kind of attack. It only takes one massive point-of-sale intrusion to scare away customers and investors — just ask Target.
4. Payment card skimmers
Skimming mainly affects ATMs and gas pumps, and is a relatively crude form of attack that requires a skimming device to be physically added to a machine. It’s hardly a new tactic, but what’s different today is the way that the data from “skimmed” payment cards is collected. Before, a criminal had to retrieve the skimming device; now, a thief can remotely collect the data using Bluetooth or other wireless technologies. More modern ATMs are designed to be relatively tamper-free, but this is still a big problem in some parts of the world, such as Bulgaria and Armenia.
5. Insider misuse
Not sure what falls under this category? Imagine someone akin to the rebel NSA defense contractor Edward Snowden, or pretty much any unapproved or malicious use of organizational resources. The most common examples of this are employees using forbidden devices (e.g. USB drives) or services to send intellectual property to their personal accounts — or, more deliberately, posing as another user and sending messages aimed at getting a colleague fired. According to Verizon, many of the people committing these crimes are payment chain personnel and end users, but C-suite managers were more to blame in prior years. Bottom line: Trust no one.
This category includes any malware incident that doesn’t fit into the espionage or point-of-sale buckets. The goal is always some kind of illicit activity, such as stealing users’ online banking credentials. Most forms of crimeware start with web activity such as downloads or so-called drive-by infections, where a virus can be downloaded when a user unknowingly clicks on a deceptive pop-up window. What can corporations do to combat these types of attacks? Keep software such as browsers up to date.
7. Miscellaneous errors
Oops, I did it again — as in, I sent an email containing sensitive information to the wrong recipient. That’s the most common example of this kind of unintentional data disclosure. Others include accidentally posting non-public information to a company’s web server or even snail-mailing documents to the wrong physical address. There’s no cure for human error (other than replacing them with computers, of course), but Verizon says corporations can implement data loss prevention software to reduce instances of sensitive files sent by email and tighten processes around posting documents to internal and external websites.
8. Physical theft/loss
Here’s a fun fact: It turns out that corporate assets like phones and laptops are stolen from corporate offices more often than from homes or vehicles. The primary cause of this type of incident? Carelessness. According to the Verizon report: “Accidents happen. People lose stuff. People steal stuff. And that’s never going to change.” The only thing you can change, advises the company, is to encrypt devices, back up data, and encourage employees to keep their gadgets close.
9. Distributed denial-of-service attacks
Last but not least, so-called DDoS threats include any attack aimed at compromising the availability of networks and systems. These are primarily directed at the financial, retail and public sectors. And while the motives behind shutting down corporate, consumer-facing websites remains the same — extortion, protest, or perverse fun — the tools at attackers’ disposal have become more sophisticated and more thoughtfully named, such as “Brobot” and “itsoknoproblembro.”
More on cybersecurity from Fortune: