Attackers used smaller businesses with less stringent security as gateways to their ultimate targets – large corporations or governments that hold valuable secrets, according to a Symantec report on internet security.
In addition, adversaries target lower-level employees because they are more likely to open up malware attachments to emails that compromise their machines and then their networks, according to “Internet Security Threat Report: 2011 Trends,” put out by Symantec.
Half the targeted attacks were directed at companies with fewer than 2,500 employees, the study says, and while they may not own assets that the attackers want, they may represent back doors into larger businesses that do own such assets.
“It is possible that smaller companies are targeted as a stepping-stone to a larger organisation because they may be in the supply chain or partner ecosystem of larger, but less well-defended companies,” according to the report.
This was the case with the attack on RSA that resulted in its two-factor token code being stolen. The network of an RSA partner company was compromised and an email sent from that company to an RSA employee contained an attachment that led to the breach. The RSA breach, in turn, led to the breach later last year of Lockheed Martin’s network.
The individuals targeted are generally not high-level employees with direct access to valuable information, although 25% are aimed at executives.
Instead, attackers target a range of those who are likely to open attachments on emails from strangers, such as HR professionals who routinely receive emails with resumes attached that are sent by job applicants, the report says. HR workers are targeted 6% of the time, the study says. Shared mailboxes receive 23% of the attacks.
Data breaches resulted in the personal information of 232.4 million people being exposed, with each breach averaging the exposure of 1.1 million identities, the Symantec report says. The cost to U.S. companies that lost personal data was $194 per individual.
Healthcare organisations suffered the lion’s share of the breaches — 43%, but computer software and IT companies suffered the greatest percentage of individual identities compromised with 44% and 41%, respectively.