Cyber Vulnerabilities ‘Easy to Find’
Verizon’s “2015 Data Breach Investigations Report” (DBIR), published earlier this month, paints a disturbing picture for organizations and their customers.
The 2015 report analyzed more than 2,100 confirmed data breaches and approximately 80,000 reported security incidents in 2014. The previous year’s report, which covered 2013, looked at 1,367 data breaches and analyzed more than 63,000 security incidents.
In about 70 percent of the new cases, decades-old ploys such as phishing and hacking are still successful because companies haven’t kept up with patching.
The question is, why are so many companies still not ahead of the curve when these cyber attacks can have such a devastating impact? The reasons boil down to priorities, process, and people.
“The bad guys don’t really have to work too hard to do this,” said Mark Weatherford, principal at The Chertoff Group and former deputy undersecretary for cybersecurity at the U.S. Department of Homeland Security.
“They are looking for vulnerable people all the time, and unfortunately it’s far too easy to find them.”
To help organizations assess these threats more effectively, Verizon Managing Principal and report author Bob Rudis said the report — for the first time — includes an impact section that ties dollars and cents to each data record compromised.
“We now have impact information that folks can use for risk management purposes, including enterprise risk management and financial risk management,” said Rudis.
“It’s a model for looking at breaches at a whole new way that we couldn’t talk about before.”
The model shows different loss forecasts for different volumes: the average loss for a breach of 1,000 records is between $52,000 and $87,000; for 10 million record losses, it’s $2.1 million to $5.2 million.
As for the types of cyber attacks plaguing organizations, about 83 percent of security incidents involve compromising websites and servers to go after a secondary victim by denial-of-service attacks, host malware, or to repurpose the site for phishing. This is up from 76 percent from the 2014 report.
Additional top threat patterns include: miscellaneous errors, such as sending an email to the wrong person; crimeware (malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; web app attacks; cyber espionage; point-of-sale intrusions, and payment card skimmers.
The industries most affected by cyber attacks are the same as in recent years: public, information, and financial services.
How to respond? First, look at different industries that are experiencing the same kind of attacks as you are — no matter how different they seem, advised Verizon Senior Analyst Suzanne Widup: “See if you can make contact with them and not stay within your same silo.”
To start closing the high volume of vulnerabilities organizations often have, Weatherford advised developing better patch management programs that include testing and a timeframe for implementation.
“I hate to sound that simplistic but really that’s why [threats from] 2007 pop up in companies – because companies haven’t done their due diligence to do the [security] hygiene that they need to do,” he said.
Marc Spitler, Verizon senior analyst, puts it more colorfully: “Instead of just playing Whack-A-Mole with the particular vulnerabilities, [companies] need to understand why they were actually visible to begin with.”
Finding qualified IT people to tackle the security problems is another reason companies aren’t keeping up with patches and other protections, said Mike VanDenBerg, a managing director in KPMG’s cyber services and information protection practice based in Dallas.
“There’s an undercurrent not mentioned in the report: that the supply and demand of labor in this industry is very unbalanced,” he said.
“Every single client that I have in the Fortune 50 cannot find enough qualified people to do what needs to be done in this space. If I were to invest the next million dollars in my security problem … it would be [in] trying to solve the problem that I’ve had for several years, which is people. It’s just a matter of priorities.”
For VanDenBerg, consistently covering the entire data environment will make the biggest difference to companies.
“Some of the constraints are: legacy systems that can’t be patched, are out of support, [or] are off the books from an accounting perspective but are still functional from a technology and business perspective. [These are] great from a financial standpoint but it’s bad from a security standpoint,” he said.
“Shutting down those assets and moving to new and different technology ultimately will increase your security. Yes, it will open up to holes in the future but I’d rather have something that I can do something about than have old technology that I can’t.”
Looking to trends in 2015, Verizon’s Rudis had this to say: “My prediction is a non-prediction; if the status quo [within organizations] stays, we are pretty much going to see almost a mirror image of the report next year.”