Adaptiva recently hosted a webinar by security author and Microsoft Certified Trainer extraordinaire, Dale Meredith. He shared that his pet peeve is that companies are not doing the most basic things they should be doing to protect endpoints. He offered some advice on security best practices for IT professionals. In the middle of all that, he shared some extremely interesting security statistics—the focus of this blog.
The Who, How, Why of Cyberattacks
Where do breaches come from?
Dale pointed out that internal sources are responsible for a large percentage of breaches. Often times, employees are not malicious so much as unaware. I was alarmed to see state sponsors at 18%. The world sure is changing. Organized crime was the source of a stunning 51% of breaches. Our old image of organized crime—Tony Soprano and his mafia crew—is giving way to vague images of hooded figures in basements sitting at banks of computers.
What tactics do they use?
Dale says hacking is on the decline and malware is on the rise. While many people use weak passwords that can be guessed, password theft is real menace too. The “fake password reset email” ploy is still going gangbusters. If you’re reading this article, you’re probably not the sort who would click on them, but the end users at your company might be. Privilege misuse is when somebody is given special access for a task-specific purpose, and they share it out to somebody who uses it for something else entirely. Dale says we’re seeing an increase in physical access too, and USB ports are a commonly exploited point of access.
Who are the victims?
It makes sense that Financial institutions top the list, per the class question/answer line, Why did you rob a bank? / Because that’s where the money is. However, no business or individual is immune from cyberattacks. Attacks aren’t just targeted at large organizations. Dale reports that 61% of breaches take place in companies with less than 1,000 employees. He suggests that typically companies don’t think it’s going to happen to them—until it does.
What do attackers have in common?
Sixty-three percent of attacks are sent via email attachments. One would think that after all these years, people were getting wiser to this, but it is still going strong. Seventy-three percent are financially motivated. Many are conducting espionage, and a good number are discovered by third parties.
Are You Living in Denial?
In the webinar, Dale spoke passionately about the need for good cybersecurity policy and enforcement. Simply updating the operations systems and applications to the latest versions, with all current security fixes, would eliminate a huge number of vulnerabilities. He emphasis this point repeatedly.
He talked about how many breaches could have stopped by just doing the most basic things, but he didn’t provide stats on how many companies fail to. So I did some hunting, and found a report for the UK government, Cyber Security Breaches Survey 2016, that highlights the problem.
More than twice as many companies say security is a priority than actually have policies for it.
- 68% of senior managers consider cybersecurity a high priority item
- 29% of companies have written cyber security policies
We all have this problem in different ways. For example, I try to count calories about seven out of 10 days, but only actually enter it into my app on about three out of 10. Guess who hasn’t lost that 10lb?
Writing out security policy helps in many ways, but two stand out. First, you have to think it through. It’s easy to feel like you have it all under control when you might have some gaps. (Just like I can’t expect to meet calorie goals if I record two tacos as one). Writing it down will make you think it through. Second, your staff will all be on the same page. Otherwise, employees may have contrasting ideas about “what the security plan is,” and implement disparate security policies—an almost certain recipe for vulnerabilities.
Six times as many companies have seen breaches in the past year than have plans to deal with them.
- 65% of large companies witnessed a cyber security breach or attack within the last year
- 10% have a formal incident management plan
This speaks for itself. Obviously, companies should prevent breaches in the first place. Still, it would be wise to have a plan for when the do occur. Does your company have a plan?
In the coming weeks and months, we’ll be providing more security resources at adaptiva.com to help you with detailed tactics for keeping your company safe. If you’d like to get a high-level overview of the problem and the most important things to do to combat it, Dale’s webinar is a great place to start. You can watch “Webinar: Security Configuration Management Best Practices” here: