Ransomware attacks are the top cybersecurity threat to organisations and are now targeting business-critical systems, according to a new report from Verizon.
The 2018 Data Breach Investigations Report (DBIR) finds that ransomware makes up 39% of malware-related data braches, double the rate of the previous year.
More worrying perhaps is that these attacks are now moving into business-critical systems which encrypt file servers or databases, inflicting more damage and commanding bigger ransom requests. The findings go some way to confirm that ransomware attacks can cause financial harm, downtime and reputational damage.
Meanwhile social attacks, such as financial pretexting and phishing, as well as being infiltrated via employees are now increasingly being aimed at departments such as HR and finance, in a bid to extract wage and tax data in order to commit tax fraud.
The report also finds that:
- The human factor continues to be a key weakness with employees still falling victim to social attacks. Financial pretexting and phishing represent 98% of social incidents and 93% of all breaches investigated, with email continuing to be the main entry point. Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasising the need for ongoing employee cyber security education.
- Pretexting incidents have more than doubled since 2017, with many incidents specifically targeting HR staff to obtain personal data for the filing of fraudulent tax returns.
- While on average 78% of people did not fail a phishing test, 4% do for any given phishing campaign. A cybercriminal only needs one victim to get access into an organisation.
- DDoS (distributed denial of service) attacks are everywhere – they can impact anyone and can be used as camouflage, often being started, stopped and restarted to hide other breaches in progress. They are powerful, but also manageable if the correct DDoS mitigation strategy is in place.
- 72% of attacks were perpetrated by outsiders, while 27% were driven internally. Organised crime groups still account for 50% of the attacks analysed.
- Simple errors – such as failing to shred confidential information, sending emails to the wrong person or misconfiguring web services – were at the heart of nearly one in five breaches. More than 20% of people still click on at least one phishing campaign during a year.
“Businesses are still not investing in appropriate security strategies to combat ransomware, meaning they end up with no option but to pay the ransom.” Bryan Sartin, executive director, Security Professional services, Verizon
“Ransomware remains a significant threat for companies of all sizes,” said Bryan Sartin, Executive Director, Security Professional services at Verizon. “It is now the most prevalent form of malware and its use has increased significantly over recent years. What is interesting to us is that businesses are still not investing in appropriate security strategies to combat ransomware, meaning they end up with no option but to pay the ransom.
“As an industry, we have to help our customers take a more proactive approach to their security. Helping them to understand the threats they face is the first step to putting in place solutions to protect themselves.”
The report highlights the biggest threats faced by individual industries, and also offers guidance on what companies can do to mitigate these risks. Key findings include:
- Education: Social engineering targeting personal information is high, which is then used for identity fraud. Highly sensitive research is also at risk, with 20% of attacks motivated by espionage. 11% of attacks also have ‘fun’ as the motive rather than financial gain.
- Financial and insurance: Payment card skimmers installed on ATMs are still big business, but we’re also now seeing a rise in ATM ‘jackpotting,’ where fraudulently installed software or hardware instructs the ATMs to release large amounts of cash. DDoS attacks are also a threat.
- Healthcare: This is the only industry where insider threats are greater than threats from the outside. Human error remains a major contributor to healthcare risks.
- Information services: DDoS attacks account for over half (56%) of the incidents within this sector.
- Public sector: Cyber espionage remains a major concern, with 43% of breaches being espionage motivated.
Other industries examined within the report include accommodation and food services, professional, technical and scientific services, and manufacturing and retail.
Echoing previous reports of slow detection of breaches, 68% of them took months or longer to discover, even though 87% of those examined had data compromised within minutes or less of the attack taking place.
The following seven steps should reduce the risk of data compromise, says Verizon:
- Stay vigilant: log files and change management systems can give you early warning of a breach.
- Make people your first line of defence – train staff to spot the warning signs.
- Keep data on a need-to-know basis – only employees that need access to systems to do their jobs should have it.
- Patch promptly – this could guard against many attacks.
- Encrypt sensitive data to make it next to useless if it is stolen.
- Use two-factor authentication – this can limit the damage that can be done with lost or stolen credentials.
- Don’t forget physical security – not all data theft happens online.
You can read the full 2018 Data Breach Investigations Report here.