Following the NCA report that came out saying hackers are winning the cyber arms race, IT security experts from AppRiver and Verizon commented below.

Troy Gill, Manager of Security Research, AppRiver:

Troy Gill“There are two main reasons why companies don’t report data breaches: they’re either ignorant of the breach or fearful it will cost them customers, drastically reducing their profits. Adding the threat of a fine or lawsuit in the case that a data breach is unreported, or at least not reported in a timely manner, certainly makes “doing the right thing” less expensive.

“Companies have proven that they can’t be entrusted to store data properly or implement good security practices on their own, so compliance is needed to ensure that they are at least meeting minimum standards to keep their customers’ information secure.

“Unless we’re talking about the board of a cybersecurity company or compliance agency, remaining secure and compliant is probably one tiny sliver of issues they deal with daily. If most boards knew what was at stake by remaining noncompliant or negligent with their IT security, they would make it a priority. Unfortunately, most don’t realize this until it’s too late.”

Paul Simpson, Principal Consultant, Verizon RISK:

“Our 2016 Data Breach Investigation Report found that many businesses still lack basic security defences, or have implemented or configured them incorrectly – this is unbelievable when we are aware of the cybercriminal activity around us. For example, we saw 63 percent of confirmed data breaches involving weak, default or stolen passwords.

“Some of the reasons behind this are reliance on old security policies; security being more of an afterthought in a business’ strategy rather than a priority or even just down to lack of good employee education. Often businesses forget that their employees are often an easy route for any opportunistic hacker looking to find their way into an organisation via phishing emails, as they commonly make mistakes that leave their doors wide open.

“Awareness is the first and best line of defence against cyber-criminals — CIOs also need to stay in touch with the latest security threats, and share that knowledge throughout the organisation. My immediate advice to any company is to ensure that the security basics and procedures are already in place to help mitigate the impact of a future cyber-attack. Prevention is often better than cure and the effectiveness of implemented security and incident processes should be tested and measured for effectiveness.  This can be done via a concentrated security approach.”

The Verizon DBIR 2016 revealed key failings in basic security practices include:

  • Passwords: The majority of breaches are a direct result of weak or stolen passwords – nearly two-thirds of all breaches are still traced back to this basic failure.
  • Phishing: Of almost 10,000 phishing incidents picked up in the caseload, nearly 1,000 led to a data breach. Worryingly, the DBIR found that 30% of phishing emails get opened, and 12% of people go on to open the attachments!
  • Known vulnerabilities: Most attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years. In fact, the top 10 known vulnerabilities accounted for 85% of successful exploits.