Two reports were recently released underscoring the fact that the vast majority of cyber attacks are due to user error. This includes employees clicking on links in tainted emails, companies failing to apply available patches to known software flaws, and technicians not configuring systems properly.
In fact, according to Verizon Communication’s recent annual study of data breaches, more than two-thirds of the 290 electronic espionage cases it learned about in 2014 involved phishing – the security industry’s term for trick emails. Because so many people click on tainted links or attachments, sending phishing emails to just 10 employees will get hackers inside corporate gates 90% of the time, Verizon found.
“There’s an overarching pattern,” according to Verizon scientist Bob Rudis. Attackers use phishing to install malware and steal credentials from employees, then they use those credentials to roam through networks and access programs and files, he said.
Moreover, Symantec Corp, which also released a report just last week, found that state-sponsored spies also used phishing techniques because they work and because this less-sophisticated approach comes with less scrutiny. Once inside a system, however, spies get more sophisticated, writing customized software to evade detection by whatever security programs the target has installed, Symantec said.
“Once I’m in, I can do what I need to,” said Robert Shaker, an incident response manager at Symantec. The report drew on data from 57 million sensors in 157 countries and territories.
Another troubling trend Symantec found involves the use of “ransomware,” in which hackers encrypt a computer’s files and promise to release them only if the user pays a ransom. In a recent article in the Wall Street Journal, Intel Security, a unit of Intel Corp., said it reviewed more than 250,000 new ransomware samples in the fourth quarter of 2014, up 155% from the previous quarter. Additionally, the Internet Crime Complaint Center, a partnership between the FBI and the nonprofit National White Collar Crime Center, said businesses and individuals submitted 2,275 ransomware complaints from June 1, 2014, to March 31 of this year, with reported losses totaling more than $1.1 million. Ransomware can target more than 230 different types of computer files, up from 70 in 2013, according to Cupertino, California-based information-security firm Bromium Inc. According to the Wall Street Journal article, it’s estimated that about 30% of ransomware victims pay to regain their data.
The need for robust security measures is never more evident, including training employees to be aware of phishing tactics, as is the need for a strong Cyber insurance program that will respond in the event of a breach. We can provide assistance in putting together a Cyber Liability insurance plan for your insureds. Give Caitlin Morgan a call at 877.226.1027.
Sources: Reuters, Wall Street Journal