Companies still failing on security basics

Despite the increasing attention being paid to cyber threats, data breaches are on the rise worldwide, and many organisations are failing to implement even basic defences and training, a new report shows.

Verizon's latest Data Breach Investigations Report shows that cybercriminals are continuing to exploit human nature with their attacks, and the human element remains the weak link in the security chain.

The report collates data from over 100,000 actual security incidents from 82 countries, and includes contributions from the AFP.

It finds that basic defences continue to be sorely lacking in many organisations, including in areas such as keeping software up to date. Most attacks exploit unpatched vulnerabilities despite there being patches available for months or even years. The top 10 known vulnerabilities in fact accounted for 85% of successful exploits in 2015.

In an indication that employee security training is sorely deficient, nearly two-thirds (63%) of confirmed data breaches in 2015 involved using weak, default or stolen passwords.

Phishing activity has meanwhile picked up dramatically, but 30% of phishing messages analysed in the report were opened, and 13% of these cases also involved clicking to open the malicious attachment or link.

Phishing has now spread to be involved in seven of the nine incident patterns identified in the 2016 report.

In addition, errors perpetuated by the organisations themselves grew to take the top spot for security incidents in 2015. These errors include sending sensitive information to the wrong person, improper disposal of company information, misconfiguration of IT systems and lost or stolen computing assets.

“You might say our findings boil down to one common theme — the human element,” Verizon Executive Director of Global Security Services Bryan Sartin commented.

“Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now. How do you reconcile that?”

Not only do basic security capabilities remain lacking, but Verizon’s report also shows that cyber attacks are becoming faster and more sophisticated.

In 93% of data breaches analysed for the report, it took attackers minutes or less to compromise their victims’ systems. In 28% of cases, data exfiltration also occurred within minutes.

The report also finds that attackers are engaging in three-pronged attacks with increasing regularity. The first stage involves sending a phishing email linking to a malicious site or attachment.

The malicious content is used to download malware onto an individual PC that looks for secrets and internal information or encrypt files for ransom. In the final prong of the attack, the malware simultaneously seeks to steal credentials through methods including key logging, which are then used to log into third-party websites such as banking sites.

Sartin said the findings show that basic, well-executed security measures continue to be more important than complex systems. These include patching software promptly, monitoring all inputs for malicious activity, encrypting data on devices prone to theft and limiting who has access to important company data.

“This year’s report once again demonstrates that there is no such thing as an impenetrable system, but often times even a basic defence will deter cybercriminals who will move on to look for an easier target,” he said.

Image courtesy of Perspecsys Photos under CC