Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Ransomware was the top variety of malicious software of 2018, found in 39% of malware-related data breaches. — Verizon, 2018
- 68% of data breaches took months or more to discover, though 87% had data compromised within minutes or less of the attack taking place– Verizon, 2018
Ransomware remains the big malware baddie going into 2018, according to Verizon’s annual Data Breach Investigations Report, released Tuesday. The threat was found in 39% of malware-related data breaches–double compared to last year, making it the top variety of malicious software, the report found.
This is the report’s 11th edition, analyzing more than 53,000 security incidents and 2,216 breaches from 65 countries.
“Ransomware has doubled year over year again–it happened last year as well,” Gabe Bassett, senior information security data scientist at Verizon and co-author of report, told TechRepublic. “The reason we’re seeing this incredible prevalence is ransomware is a great value proposition for the attacker. They don’t have to do a lot of the complex work. They just drop a piece of malware and then let it run.”
SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)
It used to be difficult for hackers to configure the cryptography needed to deploy ransomware, Bassett said. But today, they can simply purchase the ransomware software they need. “They don’t even have to understand it–there’s very low risk, very high reward,” Bassett said. “And it’s very easy to monetize through cryptocurrencies.”
Importantly, ransomware has started to impact business critical systems, rather than just desktops, the report found. This is leading to larger ransom demands, making cybercriminals more money for less work.
It’s likely that ransomware attacks will continue to grow until the economy becomes saturated, Bassett predicted.
Some 68% of breaches took months or more to discover, though 87% of the breaches examined had data compromised within minutes or less of the attack taking place, the report found.
The human factor
Humans continue to fall victim to social engineering attacks, the report found. Email continues to be the main entry point for malware, with 96% of attacks coming through use inboxes. Companies are also nearly three times more likely to get breached due to social attacks than actual vulnerabilities, the report found–highlighting the need for ongoing employee cyber education.
On average, 78% of people did not fall for a phishing attack test last year. However, 4% of people did, and a criminal only needs one victim to click on their malicious link or download to gain access to an organization.
SEE: Intrusion detection policy (Tech Pro Research)
“About 80% of people are doing the right thing,” Bassett said. “On the other hand, they could be doing better. They could be reporting when they see that phishing email, which would give the IT department the opportunity to figure out who the people are who didn’t recognize this, and who are going to click it.”
Employees who click on a phishing link once are more likely to click again, Bassett said. However, this is not necessarily their fault. “A lot of these people are in positions where that’s their job, to receive PDFs from people and open them,” Bassett said. To help them succeed, IT can considering having them work off of a sandboxed Windows computer, an iPad, or a Chromebook, which have fewer vulnerabilities to malware.
In terms of email threats, “if you know it’s coming that way, set people up for success,” Bassett said. “Give them a system that’s not going to be compromised if they have to do something that’s a little bit dangerous as part of their job.”
Tips for IT admins
The report offers the following tips for proactively keeping your organization safe:
1. Be vigilant. Don’t wait to learn about a breach from law enforcement or customers. Use log files and change management systems to monitor early warning signs of a security issue.
2. Make people your first line of defense. Teach your employees how important cybersecurity is to both your brand and your bottom line. Train them on how to spot the signs of an attack, and how to react.
3. Only keep data on a need-to-know basis. Limit access to any information only to employees that need it to do their job. Ensure there are processes in place to revoke access if someone changes roles.
SEE: Security awareness and training policy (Tech Pro Research)
4. Patch promptly. Keeping your anti-virus software up to date and updating all apps and systems regularly can help avoid criminals that exploit known vulnerabilities from entering your system.
5. Encrypt sensitive data. Every company will likely be the victim of a breach at some point. If you encrypt your data, it can’t be used if it is stolen.
6. Use two-factor authentication. Phishing campaigns are still effective, and employees still make mistakes. Two-factor authentication can limit the damage done if credentials are lost or stolen.
7. Don’t forget physical security. Data theft can happen offline as well. Use surveillance cameras and entry systems for restricted areas to avoid criminals tampering with systems or stealing sensitive material.
“You can worry less about hackers doing fancy stuff inside your network if you can get rid of the really basic phishing attacks, or that first piece of malware, or the use of stolen credentials,” Bassett said. “Then all the rest of the stuff down the path is much less likely to happen.”