Significant differences between attackers' preference for PoS and e-commerce breaches were also observed across industry sectors, not just regions.
Sixty-four percent of breaches in the retail sector involved the compromise of e-commerce environments, 27 percent point-of-sale systems and 9 percent corporate networks. In the hospitality sector 65 percent of breaches involved PoS environments and 29 percent e-commerce, while in the food and beverages sector 95 percent were PoS and only 5 percent e-commerce.
Overall, e-commerce transaction data like personal identifiable information and cardholder data was compromised in almost half of all breaches and PoS transaction data, or track data, in a third of them. Cybercriminals also stole financial credentials in 12 percent of breaches and proprietary business data in 8 percent.
The most common methods of intrusion used in the incidents analyzed by Trustwave were insecure remote access software or policies and weak passwords. Together, these accounted for 56 percent of all compromises, the distribution being half and half.
For PoS environments in particular these two security failures were responsible for 94 percent of breaches. That's because many PoS terminals are configured for remote administration, either over the Internet or over a corporate network.
Weak input validation, which can lead to SQL and other code injections, together with unpatched vulnerabilities, were the second leading causes of compromises, accounting for 15 percent each. As expected, these were much more common for e-commerce breaches.
When it comes to corporate network compromises, the leading causes were malicious insiders and misconfigurations, accounting for a third each.
Companies are still not doing a good job at quickly identifying and containing breaches, according to Trustwave.
Affected companies identified breaches themselves in only 19 percent of cases. This is a significant decrease from last year's 29 percent.
Regulatory bodies, card brands and merchant banks were responsible for alerting businesses that they suffered a breach in 58 percent of cases. Law enforcement is also increasingly playing a role in this, notifying affected companies of 12 percent of breaches compared to 3 percent last year.
The median number of days from intrusion to detection across all incidents was 86, while from intrusion to containment it was 111. However, the numbers are very different for self-discovered breaches — only 14.5 days from intrusion to containment. This suggests that it's considerably better for companies to have processes in place that allow them to identify breaches themselves.
The Trustwave report shows that many companies are still struggling with basic security principles like enforcing access controls, implementing strong authentication, patching known vulnerabilities or avoiding common Web coding errors that have been known since the 1990s.
It's generally accepted among security professionals that there's no such thing as 100 percent security and that if a determined and sophisticated attacker wants to get in, he'll eventually find a way. Therefore, companies should strive to make it as hard as possible for attackers to break in, to the point where compromising systems would no longer justify the investment in time and resources for the vast majority of attackers.
Unfortunately, the organizations that do get breached are still getting some of the security fundamentals quite wrong, Yeo said.
Sign up for Computerworld eNewsletters.