‘Mega breach’ cyber attacks increasingly common, security firm says

Cybercriminals are plotting for several months to pull off major breaches for larger rewards, rather than “executing quick hits,” IT security firm Symantec Corp. says, based on its most recent Internet Security Threat Report.

“One mega breach can be worth 50 smaller attacks,” Kevin Haley, director of Symantec Security Response said in a press release.

“While the level of sophistication continues to grow among attackers, what was surprising last year was their willingness to be a lot more patient – waiting to strike until the reward is bigger and better.”

Last year saw a 62% increase in the number of data breaches over the previous year, resulting in more than 552 million identities exposed, the firm said. Of the eight top data breaches in 2013, all resulted in the loss of tens of millions of data records, while 2012 only had a single data breach reach that threshold, Symantec said.

Targeted attacks were also up 91% last year  and lasted an average of three times longer compared to 2012.

Personal assistants and those working in public relations were the two most targeted professions, as criminal use them as a stepping stone toward higher-profile targets like celebrities or business executives, according to Symantec.

“Security incidents, managed well, can actually enhance customer perceptions of a company; managed poorly, they can be devastating,” Ed Ferrara, vice president and principal analys at Forrester Research noted in Symantec’s statement.

“If customers lose trust in a company because of the way the business handles personal data and privacy, they will easily take their business elsewhere.”

Symantec recommends several best practices for businesses, including:

Know your data: Protection must focus on the information – not the device or data center. Understand where your sensitive data resides and where it is flowing to help identify the best policies and procedures to protect it.

Educate employees: Provide guidance on information protection, including company policies and procedures for protecting sensitive data on personal and corporate devices.

Implement a strong security posture: Strengthen your security infrastructure with data loss prevention, network security, endpoint security, encryption, strong authentication and defensive measures, including reputation-based technologies.