Following the Verizon data breach report, IT security experts from Barracuda, High-Tech Bridge, Bromium and CipherCloud commented below.
Wieland Alge, GM EMEA at Barracuda:
“The results of the Verizon 2017 Data Breach Investigations Report are very interesting, with many of the findings confirming what we’ve been seeing on the front lines for some time.
Ransomware:
The report’s finding of a 50% increase in ransomware comes as no surprise to us. Ransomware use has exploded recently as an easy way for cyber criminals to make money. As long as people keep on paying the ransoms, attackers will continue to infect users. It’s become the number one threat to businesses today, with many firms having to pay the ransom simply because they don’t have the defence systems in place to avoid doing so.
For small organisations on a tight security budget, tiering your data in terms of importance is good practice so that you can intelligently decide where to focus your data protection efforts. Of course, customer data is often your most valuable asset and so usually will take precedence. However, don’t fall into the trap of only protecting the data that you view as important and not taking into account the data that cyber criminals can easily monetise. For example, personally identifiable information is often targeted by cyber criminals, but may not be viewed as an important business asset.
Small businesses:
The findings reveal that small businesses are a big target (with 61% of victims businesses with fewer than 1000 employees). There is a huge misconception around this – many small organisations falsely believe they are not attractive attack targets and that cybercriminals focus on large enterprises. This is simply not the case, with the Verizon report the latest piece of research proving that attackers often see SMBs as lucrative targets as they are resource-limited and may not have a ransomware protection system in place. In fact, many small organisations don’t even know when they have been compromised.
Phishing and human error:
The report also found that phishing remains big business, with 43% of data breaches utilising phishing techniques. This underpins the idea that simply investing in the right technology is never enough. In addition to having the right security solutions in place, it is imperative that employers educate their staff to be more aware, especially when it comes to phishing and social engineering attacks. Education is key here, as the biggest attack vector, as ever, is human error.”
Ilia Kolochenko, CEO at High-Tech Bridge:
“As in the previous report from 2016, insecure web applications dominate the top attack vectors in almost all the industries. Cybercrime is a [criminal] business, and thus follows the basic rules of business: spend less, get more. Attackers are always looking for the weakest link in your IT infrastructure, before leveraging expensive 0days and complicated APT attacks. Today, the majority of large organizations and governments can be easily breached via their web and mobile (backend) applications. Emerging risk comes from third-party applications, which are exploited by hackers to compromise your trusted third-party and get access to your data afterwards – cloudization, outsourcing and IT externalization aggravate this complicated challenge. The report confirms Google’s research, which found a 32% increase in website hacking in 2016. Application security becomes a major problem for organizations and should be addressed as a high priority.”
Fraser Kyne, EMEA CTO at Bromium:
“What most interested me in this year’s DBIR was that phishing attacks are actually becoming even more prevalent. One in 14 users are being duped into clicking on a bad link or attachment; but even worse, a quarter of those people go on to do it again! There is a phrase that I think is very apt here – “You can’t patch stupidity”.
“Essentially, what the DBIR shows us is that you can have the best education, the best processes and the most on-point detection capabilities available, but you will still take a hit. People within the organisation will always find a way around security to get their job done, and clever hackers will always trick end-users into doing something stupid. That’s probably also why we saw such a drastic spike in ransomware in this year’s DBIR; phishing is a great vehicle for hackers to deliver their payload and get ransomware running on a user’s machine. The fact is that however cyber-savvy they are, end-users will always be the weakest link in security.
“Organisations therefore need to shift the onus away from controlling user behaviour if they are to get a handle on the situation. The best way of mitigating phishing attacks is to have a safety net in place, allowing end-users to click with freedom, without having to worry too much about stumbling upon a bad link or malicious attachment. Micro-virtualisation is key to this, ensuring that each user task is contained within its own fully isolated and unique virtual environment. As a result, any malicious files are trapped within that virtual machine, posing no risk to the rest of the system. If a user finds themselves opening a malicious email or document, they can simply close down that window, and the threat disappears.”
Pravin Kothari, Founder, Chairman & CEO at CipherCloud:
“While the 2017 Verizon Data Breach Investigations Report shows a continued and alarming growth in threats and data breaches, it also highlights gaps and outdated security approaches that many organizations still rely upon. The report highlights that “People rely on how they’ve always done things” and often depend on out-of-date defense. This is especially true given the huge shift towards cloud applications, as organizations increasingly put sensitive data outside of their networks. Even the best firewall in the enterprise won’t detect attacks on data in the cloud, yet many security professionals still rely on an outdated perimeter security mindset.
“It’s critical that businesses shift to a data-centric approach to security, changing focus from securing network perimeters and systems, to protecting sensitive data wherever it goes – from cloud applications in unknown locations to end-users with increasingly sensitive data on vulnerable mobile devices.
“Finance and Healthcare account for more than 40% of the total breach incidents, according to the Verizon report, and these industries typically deal with highly sensitive information, many regulations, and stronger breach notification requirements. Our best practices recommendations for organizations in all sectors:
- Focus on protecting data – not just network, systems and applications. Data with your network, data in the cloud, and data on mobile devices, all need to be protected.
- Use encryption whenever possible, especially when sensitive data is outside your network.
- Never share your encryption keys with third-parties, cloud providers, or their administrators. Today’s encryption technology is very effective, but if you share keys you lose control and increase the risk of breaches.”
