Organizations Are Not Doing Enough to Secure DataBy Bob Violino | Posted 2015-04-22 Email Print
Companies are open to existing vulnerabilities mainly because they never implemented security patches, but many breaches could be avoided with more vigilance.
Although cyber-security attacks are becoming ever more sophisticated, many hackers and other intruders are still relying on techniques that have been around for years. Meantime, organizations are not doing enough to prevent data breaches. These are among the key findings of a new report from Verizon Enterprise Solutions.
The company's "2015 Data Breach Investigations Report" shows that 70 percent of information security attacks use a combination of phishing and hacking techniques and involve a secondary victim, which adds complexity to breaches.
Companies remain open to a lot of existing vulnerabilities mainly because they never implemented security patches, the report says, adding that some vulnerabilities go back to 2007. It notes that many information security breaches could be avoided if organizations were more vigilant about cyber-security.
"We continue to see sizable gaps in how organizations defend themselves," said Mike Denning, vice president of global security for Verizon Enterprise Solutions. "While there is no guarantee against being breached, organizations can greatly manage their risk by becoming more vigilant in covering their bases."
This problem has remained a key theme of the Verizon reports over the years, Denning says.
It's interesting, given widespread concerns about the security of mobile devices and apps, that the report indicates mobile threats in general are overblown. Overall, it says, the number of exploited security vulnerabilities across all mobile platforms is "negligible."
IoT Becomes a Hacker's Tool
A hot topic that Verizon added to this year's report involves security issues related to the Internet of things (IoT). The 2015 report looks at security incidents in which connected devices were used as entry points to compromise other systems. Some IoT devices were co-opted into botnets that were infected with malicious software for denial-of-service attacks.
The findings on IoT and connected devices "reaffirms the need for organizations to make security a high priority when rolling out next-generation intelligent devices," the report states.
Verizon's security researchers found that 96 percent of the nearly 80,000 security incidents they analyzed can be traced to nine basic attack patterns, which vary from industry to industry. These threat patterns include miscellaneous errors, such as sending an email to the wrong person; crimeware (malware aimed at gaining control of systems); insider/privilege misuse; physical theft or loss; Web app attacks; denial-of-service attacks; cyber-espionage; point-of-sale intrusions; and payment card skimmers.
According to the report, 83 percent of security incidents involve the top three threat patterns. That's up from 76 percent in the 2014 study.
The longer it takes for organizations to discover breaches, the more time attackers have to penetrate defenses and cause damage, the report points out. More than a quarter of all breaches take an organization weeks—and sometimes months—to discover and contain.
The advice the report offers for bolstering security includes increasing vigilance; making people the first line of defense; keeping data on a need-to-know basis; patching promptly; encrypting sensitive data; using two-factor authentication; and paying close attention to physical security.