by Dan Worth
More than 90 percent of security incidents at companies can be traced to just nine types of basic threats, as firms have continued to fall for the same type of scams and attacks for a decade.
Verizon said, having analysed 10 years’ worth of data covering 100,000 security incidents, 92 percent could be traced back to nine attack vectors. The findings were published in the firm’s annual Data Breach Investigations Report.
The nine threats include malware attacks, device loss or theft, distributed-denial-of-service (DDoS) attacks, payment card skimming and web app attacks.
The remaining four attacks are cyber-espionage, point-of-sale intrusions, insider theft and miscellaneous errors, such as sending emails with sensitive data to the wrong person.
Further exacerbating this situation is the fact certain sectors are more prone to certain types of attacks, making it even easier for hackers to hit their targets.
Verizon said that in the financial services sector, three quarters of all incidents can be traced to just three types of incident: web application attacks, distributed denial of service and card skimming.
In manufacturing 54 percent of attacks are cyber-espionage and DDoS, while in retail the majority of attacks are DDoS (33 percent) and point-of-sale intrusions (31 percent).
Wade Baker, principal author of the Data Breach Investigations Report, said the wealth of data presented the worrying conclusion that the “bad guys are winning” and firms need to take note. “Organisations need to realise no one is immune from a data breach,” he said.
“Compounding this issue is the fact that it is taking longer to identify compromises within an organisation – often weeks or months – while penetrating an organisation can take minutes or hours,” Baker said.
However, Jay Jacobs, Prinicpal on Verizon’s Risk Team, told V3 there was a silver lining to this, as by laying out the attack patterns plaguing each industry, companies have a better understanding of what needs protecting.
“This will help people work out what they should focus on. Often they’re told to do fifty things to protect themselves, but with this data, we can tell them the five key things they should focus on, before the other 45,” he said.
Jacobs added that major incidents from the past 12 months, like the attack on Target, show that the need for better security login tools, such as two-factor authentication are a must, as hackers go after user credentials.
“The solution [to these threats] is not to look for alternatives to the username and password login, but to add to it, such as with the ‘what you have’ method where you have a key fob or an app on your mobile that generates a code that you use alongside your credentials,” he explained.
Adding to the pressures firms face, many have been rushing to patch their systems after major security bug Heartbleed was found in the OpenSSL tool, with numerous organisations already hit by the threat.
Watch our video below for all you need to know about Heartbleed and how to protect against the flaw.
