Organizations are still failing on security basics like good password management and regular patching, with hackers taking less than an hour to compromise systems in 93% of cases, according to Verizon.
The firm analyzed more than 100,000 security incidents and 2,260 confirmed breaches to compile its annual Data Breach Investigations Report (DBIR) this year.
The findings should be a wake-up call to organizations globally.
While attackers had no trouble in compromising systems quickly over the reporting period, it took victims weeks or more to find out they’d been breached, in a shocking 83% of cases. And the longer a breach goes unreported, the bigger the impact.
Almost two-thirds of breaches were made possible by the use of weak, default or stolen passwords, offering yet more evidence that two-factor authentication or at least password manager tools should be used by firms, especially on privileged accounts.
“There’s no such thing as an impenetrable system, but often even a half-decent defense will deter many cybercriminals - they’ll move on and look for an easier target. Sadly, many organizations fail to achieve even that modest ambition,” the report noted.
Almost all breaches (95%) are covered by nine patterns.
Although “miscellaneous error,” including staff sending information to the wrong person, accounted for the largest number of breaches (17.7%), insider and privilege misuse featured in 16.3% of cases.
The latter is particularly damaging to organizations as in 70% of cases a breach involving insider misuse took months or years to discover.
Unsurprisingly, point of sale (POS) intrusions dominated hospitality breaches, accounting for 95%, while physical theft or loss was the third biggest factor involved in most breaches.
Worryingly, over a third of theft (39%) was from employees’ own work areas while 34% came from their vehicles – emphasizing the need for better staff education, and encryption for sensitive data.
Verizon also claimed in the report that while there has not been a “significant volume” of mobile or IoT-based threats, “it’s only a matter of time before we see a largescale breach.”
However, when asked by Infosecurity, the company claimed it couldn’t predict which specifically vulnerable areas black hats would look to target to exploit these systems.
Some of the security basics organizations should start thinking about include better staff training; effective patch management; use of 2FA; access policies of “least privilege”; and log files and change management systems to provide early warning of breaches.