Ransomware attacks are a key cyber security threat for global organisations, with a study by Verizon identifying it as the most common type of malware, found in 39% of malware-related data breaches – double that of last year. What’s more, attacks are now moving into business critical systems, which encrypt file servers or databases, inflicting more damage and commanding bigger ransom requests.
The Data breach investigations report also flags a shift in how social attacks, such as financial pretexting and phishing, are used. Attacks such as these, which continue to infiltrate organisations via employees, are now increasingly a departmental issue. Analysis shows that human resource departments across multiple verticals are now being targeted in a bid to extract employee wage and tax data, so criminals can commit tax fraud and divert tax rebates.
“Businesses find it difficult to keep abreast of the threat landscape, and continue to put themselves at risk by not adopting dynamic and proactive security strategies,” says George Fischer, president of Verizon Enterprise Solutions. “Verizon gives businesses data-driven, real-life views on the cyber-threat landscape, not only through the DBIR series but also via our comprehensive range of intelligent security solutions and services. This 11th edition of the DBIR gives in-depth information and analysis on what’s really going on in cyber crime, helping organisations to make intelligent decisions on how best to protect themselves.”
The human factor continues to be a key weakness: Employees are still falling victim to social attacks. Financial pretexting and phishing represent 98% of social incidents and 93% of all breaches investigated – with email continuing to be the main entry point (96% of cases). Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasising the need for ongoing employee cyber security education.
Financial pretexting targets HR: Pretexting incidents have increased over five times since the 2017 DBIR, with 170 incidents analyzed this year (compared to just 61 incidents in the 2017 DBIR). 88 of these incidents specifically targeted HR staff to obtain personal data for the filing of file fraudulent tax returns.
Phishing attacks cannot be ignored: While on average 78% of people did not fail a phishing test last year, 4% of people do for any given phishing campaign. A cyber criminal only needs one victim to get access into an organisation.
DDoS attacks are everywhere: DDoS attacks can impact anyone and are often used as camouflage, often being started, stopped and restarted to hide other breaches in progress. They are powerful, but also manageable if the correct DDoS mitigation strategy is in place.
Most attackers are outsiders: One breach can have multiple attackers and we found the following: 72% of attacks were perpetrated by outsiders, 27% involved internal actors, 2% involved partners and 2% feature multiple partners. Organised crime groups still account for 50% of the attacks analysed.
“Ransomware remains a significant threat for companies of all sizes,” says Bryan Sartin, executive director security professional services, Verizon. “It is now the most prevalent form of malware, and its use has increased significantly over recent years. What is interesting to us is that businesses are still not investing in appropriate security strategies to combat ransomware, meaning they end up with no option but to pay the ransom – the cyber criminal is the only winner here! As an industry, we have to help our customers take a more proactive approach to their security. Helping them to understand the threats they face is the first step to putting in place solutions to protect themselves.”
Sartin continued: “Companies also need to continue to invest in employee education about cybercrime and the detrimental effect a breach can have on brand, reputation and the bottom line. Employees should be a business’s first line of defense, rather than the weakest link in the security chain. Ongoing training and education programs are essential. It only takes one person to click on a phishing email to expose an entire organisation.”
This year’s report highlights the biggest threats faced by individual industries, and also offers guidance on what companies can do to mitigate against these risks. Key industry findings include:
Education – Social engineering targeting personal information is high, which is then used for identity fraud. Highly sensitive research is also at risk, with 20% of attacks motivated by espionage. 11% of attacks also have ‘fun’ as the motive rather than financial gain.
Financial and insurance – Payment card skimmers installed on ATMs are still big business; however, we’re also now seeing a rise in ‘ATM jackpotting,’ where fraudulently installed software or hardware instructs the ATMs to release large amounts of cash. DDoS attacks are also a threat.
Healthcare – This is the only industry where insider threats are greater than threats from the outside. Human error remains a major contributor to healthcare risks.
Public sector – Cyber espionage remains a major concern, with 43% of breaches being espionage motivated. However, it is not only state-secrets that are a target – personal data is also at risk.