For anyone concerned with maintaining information technology network security, a recent report from Verizon on data breaches is not good news. In a story published by the Information Security Media Group, the new Verizon 2016 Data Breach Investigations report notes that phishing attacks have become more successful. Malware continued to be the dominant way that organizations got hacked. The number of ransomware infections increased. And organizations continued to get exploited via vulnerabilities in their IT infrastructure that were months or sometimes even years old.
Verizon based its new report on information from 67 contributing organizations about more than 2,200 breaches across 82 countries. The information was provided by organizations ranging from incident response firms and insurance companies to law firms and government agencies.
Compared to previous years, unfortunately, the leading ways in which organizations get breached have changed little. Laurance Dine, managing principal of the investigative response team at Verizon Enterprise Solutions, said: "There's nothing really new in this year's report. It's showing us information that we have seen repeatedly over the last couple of years ... so things aren't necessarily getting better. The stats are showing that the same sort of attacks are happening all the time."
But the frequency of many of those attacks continues to increase. "We're seeing ransomware all the time," he says. "We are responding to these incidents weekly, if not daily. ... Ransomware is definitely on the rise." In addition, while there have been a number of highly publicized ransomware attacks— and sometimes, ransom payments— in the healthcare sector, Dine says such infections are hitting industries across the board.
The success rate for attackers' phishing messages also continues to increase, thanks, in part, to better-crafted attack e-mails as well as the ease and low cost of such attacks. "If you can sit at your computer in the middle of nowhere and send out a thousand phishing messages, and within five minutes be in one, two, ten environments, because somebody's clicked on the attachment, it's a very good payload for criminals," Dine says.
An easy conclusion is that companies managing IT networks should pay greater attention to the need for more security awareness training for employees, including training on what to do in the event of a suspected security incident.
For more information on how small business owners can protect their information technology system, check out this link to the Federal Communications Commission: https://www.fcc.gov/general/cybersecurity-small-business