Don’t make life easy for the cybercriminals

9 March 2017

Author: Bryan Sartin, Verizon Enterprise Solutions

Your CFO gets an e-mail from the CEO asking her to transfer money that’s needed urgently for a new acquisition. Why would she question an e-mail from the CFO?

 

We’re seeing more and more examples like this of “whale phishing”—where personalised social engineering campaigns are used to target C-level execs. We’re seeing it because plenty of people are still falling for this kind of scam. Almost a third (30%) of spear phishing messages were opened last year. Many people opened them without giving it much thought—it was typically less than two minutes before the first user opened a phishing e-mail. More than one-in-ten (12%) went on to open the malicious attachment or click the link [1].

 

That goes to show that humans are becoming the slowest in the security vulnerability herd. It’s not just security experts who need to understand the risks. Every organisation relies on digital in some way—to communicate, to transact, to compete. Today, gaining competitive advantage is about being able to do digital—better. But to do that, you need systems that are reliable and secure. And that means data security threats are something we all need to care about.

 

The same old mistakes

 

It’s time to up your game—because people are still falling for the same old tricks. And it’s not just phishing. The biggest risk you face isn’t necessarily from new-to-the-world vulnerabilities. Most attacks exploit known vulnerabilities—where a patch has often been available for months, if not years.

 

It’s not just some kid in their bedroom using these techniques to hack your systems for fun. Even the most sophisticated attacks—perpetrated by cybercriminals and state-affiliated actors—often start with these simple techniques.

 

You don’t want to make it easy for the cybercriminals. But, at present, it appears to be just that. Just consider this: in 93% of cases, it took attackers minutes or less to compromise systems. Organisations, meanwhile, took weeks or more to discover that a breach had even occurred—and it was typically customers or law enforcement that sounded the alarm, not their own security measures.

 

Disrupt the economics of cybercrime

 

Most criminals are driven by greed—80% of breaches last year had a financial motive [1]. They’re not targeting you because of who you are. They don’t care whose systems they get into; they just want data that they can sell. And they’re upping their game. They’re having to because the market value of some kinds of data, particularly payment card information, is falling.

 

Get your defenses right and you’ll send them on to look for an easier target. But you haven’t got a bottomless pit of money to spend on cybersecurity, so you need to know how to prioritize your efforts. That’s all about understanding the biggest data security threats you face and how attackers strike.

 

A great place to start is by reading the 2016 Verizon Data Breach Investigations Report. This year’s edition draws on the details of over 100,000 incidents and analysis of 2,260 confirmed data breaches. And it again focuses on the nine incident classification patterns we first identified in our 2014 report. Over 90% of breaches fit into these nine patterns. And when you look at any single industry, the majority of data security threats fall into just three patterns. Understanding them can help you focus your security efforts on the right areas.

 

Bryan Sartin is the Head of Global Security Services at Verizon Enterprise Solutions. He manages the proactive and reactive span of Verizon’s consulting capabilities, including Governance, Threat & Vulnerability Management, Regulatory Compliance, Identity & Access Management, and Data Loss Prevention practices. Bryan also oversees all cyber investigations and intelligence functions, encompassing the externally facing arm of Verizon’s security apparatus. Mr. Sartin leads a total operation of more than 500 security consultants, researchers and developers across 30+ countries, as well as highly secure data processing, applied intelligence and digital forensics lab facilities in 5 countries.

 

 

 

[1] Verizon 2016 Data Breach Investigations Report, April 2016.