The c-suite — who have access to a company’s most sensitive information, are now the major focus for social engineering and cyber attacks.
C-suite beware: You are the latest targets of cybercrime
According to Verizon’s latest report — using data from the FBI for the first time — suggests that senior executives are 12 times more likely to be the target of social incidents, and 9 times more likely to be the target of social breaches than in previous years.
Financial motivation remains the key driver.
Financially-motivated social engineering attacks (12% of all data breaches analysed) are a key topic in this year’s report, highlighting the critical need to ensure all levels of employees are made aware of the potential impact of cybercrime.
Data breaches becoming more complex, pervasive and damaging – Verizon
“Enterprises are increasingly using edge-based applications to deliver credible insights and experience. Supply chain data, video, and other critical — often personal — data will be assembled and analysed at eye-blink speed, changing how applications utilise secure network capabilities” comments George Fischer, president of Verizon Global Enterprise.
“Security must remain front and centre when implementing these new applications and architectures.
“Technical IT hygiene and network security are table stakes when it comes to reducing risk. It all begins with understanding your risk posture and the threat landscape, so you can develop and action a solid plan to protect your business against the reality of cybercrime. Knowledge is power, and Verizon’s DBIR offers organisations large and small a comprehensive overview of the cyber threat landscape today so they can quickly develop effective defense strategies.”
Outsider threats remain dominant: External threat actors are still the primary force behind attacks (69% of breaches) with insiders accounting for 34%
C-suite cyber attacks
A successful cyber attack on senior executives can reap large dividends as a result of their — often unchallenged — approval authority, and privileged access into critical systems.
According to the report, these c-suite executives are typically time-starved and under pressure to deliver, so they quickly review and click on emails prior to moving on to the next (or have assistants managing email on their behalf), making suspicious emails more likely to get through.
The increasing success of social attacks, such as business email compromises (BECS — which represent 370 incidents or 248 confirmed breaches of those analysed), can be linked to the unhealthy combination of a stressful business environment, combined with a lack of focused education on the risks of cybercrime.
Cyber security professionals struggling to balance under increasing pressure
This year’s findings also highlight how the growing trend to share and store information within cost-effective cloud based solutions is exposing companies to additional security risks.
Analysis found that there was a substantial shift towards compromise of cloud-based email accounts via the use of stolen credentials. On top of this, publishing errors in the cloud are increasing year-over-year.
Misconfiguration (“miscellaneous errors”) led to a number of massive, cloud-based file storage breaches, exposing at least 60 million records analysed in the DBIR dataset — this accounts for 21% of breaches caused by errors.
Bryan Sartin, executive director of security professional services at Verizon comments: “As businesses embrace new digital ways of working, many are unaware of the new security risks to which they may be exposed. They really need access to cyber detection tools to gain access to a daily view of their security posture, supported with statistics on the latest cyber threats. Security needs to be seen as a flexible and smart strategic asset that constantly delivers to the businesses, and impacts the bottom line.”
Ransomware attacks are still going strong: They account for nearly 24% of incidents where malware was used. Ransomware has become so commonplace that it is less frequently mentioned in the specialised media unless there is a high profile target
Industry specific
Once again, this year’s report highlights the biggest threats faced by individual industries, and also offers guidance on what companies can do to mitigate against these risks.
“Every year we analyse data and alert companies as to the latest cybercriminal trends in order for them to refocus their security strategies and proactively protect their businesses from cyber threats. However, even though we see specific targets and attack locations change, ultimately the tactics used by the criminals remain the same. There is an urgent need for businesses – large and small – to put the security of their business and protection of customer data first. Often even basic security practices and common sense deter cybercrime,” continues Sartin.
• Education: There was a noticeable shift towards financially motivated crime (80%). And, 35% of all breaches were due to human error and approximately a quarter of breaches arose from web application attacks, most of which were attributable to the use of stolen credentials used to access cloud-based email.
• Healthcare: This business sector continues to be the only industry to show a greater number of insider compared to external attacks (60% versus 42% respectively). Unsurprisingly, medical data is 18 times more likely to be compromised in this industry, and when an internal actor is involved, is it 14 times more likely to be a medical professional such as a doctor or nurse.
• Manufacturing: For the second year in a row, financially motivated attacks outnumber cyber-espionage as the main reason for breaches in manufacturing, and this year by a more significant percentage (68%).
• Public Sector: Cyber-espionage rose this year — however, nearly 47% of breaches were only discovered years after the initial attack.
• Retail: Since 2015, Point of Sale (PoS) breaches have decreased by a factor of 10, while web application breaches are now 13 times more likely.
Trouble at the top: are CEOs the greatest security risk to organisations?
Phishing
Verizon’s report has revealed that 32% of breaches in 2018 involved phishing.
Shlomie Liberow, technical program manager at HackerOne, said:
“Organisations are clearly still not taking employee cyber security education seriously enough.
“When it comes to organisational or institutional security, a lot of what we can do to bolster our protection has nothing to do with technology and more comes down to employee education.
“Encouraging employees to question requests, double check on records and be just a little paranoid are all critical in improving overall cybersecurity posture.
“Companies who blame employees for poor passwords or bad behaviour with email aren’t spending enough time, money, or energy driving home security. Preventing phishing attacks can be closely tied to corporate culture. Is it normal for an exec to demand something like a bank transfer to a vendor, or a large purchase from a random site with no questions asked either because of fear or sternness? Welcome to phishing heaven. It’s up to IT and security teams to enable, empower and educate employees as part of strengthening the weakest links.”
Nominations are OPEN for the Tech Leaders Awards, organised by Information Age and taking place on 12th September 2019 at the Royal Lancaster, London. Categories include CIO of the Year, CTO of the Year, Digital Leader of the Year and Security Leader of the Year. Recognise and reward excellence in the tech industry by submitting a nomination today
