The findings of the latest Verizon Data Breach Investigations Report (DBIR) were the subject of several of the IT news websites this week (Computer Weekly and ComputerWorld UK) because they show that organisations are still not taking basic cyber crime prevention measures.
The report appears to show that cyber crimes of which the type and modus operandi are well known and widely publicised are still happening in large numbers because organisations don’t have the staff awareness or relevant training, don’t know the attack patterns for their industry, and aren’t focusing on using simple but well executed security measures.
The Report’s conclusions are drawn from an analysis of 2,260 breaches and in excess of 100,000 incidents at 67 organisations in 82 different countries and as such are believed to provide a reliable snapshot of the state of organisational cyber security.
The Usual Suspects
Examples of the kinds of well known data breaches and incidents that are still being allowed to happen too frequently are human error, phishing attacks, web app breaches (908 confirmed data breaches), and malware such as ransomware.
According to the Verizon DBIR, human error accounts for most security incidents experienced by organisations. 26% of these errors involve sending sensitive information to the wrong person. Others include losing / being the victim of theft of laptops and smartphones, disposing of company information incorrectly, and making mistakes when configuring IT systems.
The use of passwords is now a widely acknowledged problem area (hence the rise of biometric systems) and the report shows that nearly two-thirds of data breaches come from using weak, default or stolen passwords.
The report shows that phishing attacks are getting more successful. For example 30% of phishing messages were opened this year compared to 23% last year, with the surprisingly high figure of 12% of those people carrying on to click on the attachment or link in the email.
Multi-Point Phishing Attacks On The Rise
The report highlights a hybrid, multi-point phishing style attack that is gaining in popularity.
This involves the initial phishing email that contains the link to the malicious attachment or website. Once the victim has clicked on the link and downloaded the malware, more malware can then be used to steal details or data, or to lock (encrypt) important files as part of a ransomware attack. Stolen credentials from the victim can then be used for logging into other sites e.g. online shops or banking sites.
High Speed Attacks That Go Unnoticed
The report showed that the speed and stealth of cyber criminals is taking organisations by surprise. For example 93% of cases attackers only took a few minutes to compromise systems and 84% of the cases the victims didn’t find out they had been breached for weeks. Many organisations even had to be informed by a third party that the breach had taken place.
Mobile and IoT Attacks Not Common Yet
Despite predictions over the last year by many security commentators, the lack of significant real-world data on mobile attacks or attacks via the Internet of Things (IoT) appears to indicate no huge surge in crime in these areas.
What Does This Mean For Your Business?
The report shows that it is important for businesses to take the threat of data breaches and cyber crime seriously and to, at the very least, set up simple systems and methods to tackle the basic known threats. This could include:
- Making sure that staff receive the relevant awareness raising messages and training to ensure compliance, best practices, and to help avoid costly human errors.
- Making sure that default passwords aren’t used, passwords are made strong and /or are changed frequently and / or making 2 factor authentication compulsory.
- Keeping up with patching and updates for all computers, even the old ones that don’t get used often. Make sure that third-party CMS plug-ins are patched too.
- Helping to defend against phishing by making sure that your email filtering works well, segmenting your network, and using layered authentication rather than static passwords when moving around networks.