This article was updated November 2019.
Cybersecurity breaches are often a result of improperly secured systems and a lack of user education and awareness—which means they can often be prevented with a more stringent cybersecurity strategy.
In 2018, there were more than 1,200 data breaches affecting 446 million records reported in the United States, according to the Identity Theft Resource Center (ITRC). This represents a 23% decrease in the number of breaches from 2017, but a 126% increase in the number of sensitive consumer records breached compared to 2017. ITRC identified 1,152 reported breaches affecting 160 million records as of October 10, 2019.
Breaches aren’t only happening to large organizations. Attackers are targeting small and mid-sized organizations more frequently due to their lack of sophisticated security controls.
It’s important to understand some of the most common cyberthreats your organization could face so you can strengthen your cybersecurity controls and attempt to avoid these issues.
Ransomware, whereby an attacker implants malware onto a victim’s system via a phishing attack or infected website to lock or encrypt a victim’s data until a payment is made, has become one the biggest threats facing organizations. A company will fall victim to a ransomware attack every 14 seconds by the end of 2019, and the rate will drop to every 11 seconds by 2021, according to statistics from Cyber Security Ventures.
There’s a lot of debate circling the central question of a ransomware attack—if you get hit, should you pay the ransom?
The average ransom payment increased by 184% from Q1 to Q2 this year, nearly tripling the cost from $12,762 to $36,295, according to the Coveware Q2 Ransomware Marketplace Report; however, the costs can escalate quickly for larger organizations when multiple systems become infected.
The city of Atlanta spent over $17 million to fully recover its systems from a ransomware attack in 2018, while the city of Baltimore has spent over $18 million to recover from an attack this year. In Texas, 22 cities were hit by ransomware attacks in the summer of 2019; additionally, the town of Lake City, Florida, paid a hacker approximately $460,000 while the city of Riviera Beach, Florida paid $600,000 in cryptocurrency, according to The New York Times.
It isn’t just the ransom payment that can be costly. For organizations hit with ransomware, approximately 26% won’t recover all of their data, according to a late 2018 report from Sentinel One. Regardless of whether or not an organization pays the ransom, the amount of time and money it takes to recover from these attacks can be crippling. FedEx saw a $300 million loss in 2017, primarily for the cost of recovery efforts and system downtimes, even though they chose not to pay the ransom.
An organization has to weigh the costs and benefits of how much money they lose each day they’re locked out of their systems. They also have to weigh whether or not they’ll become the target of additional attacks now that other cybercriminals know they’re willing to pay.
One of the main delivery methods of a ransomware attack is through email phishing. This is a social engineering technique that uses email to deceive end users into providing sensitive information, such as:
- Social Security numbers
- Payment card information
A phishing email will typically use a Word, Excel, or PDF attachment to carry the ransomware program; once opened it infects the target’s computer. Some ransomware variants, such as WannaCry and Petya, were able to infect multiple systems at once and disable an organization’s operations for days and sometimes even weeks.
Business Email Compromise (BEC)
BEC is a specific corollary of phishing. It’s a heightened level of deception that involves impersonation. The attacker uses artificial intelligence to create behavioral profiles of key executives and mimic email behavior.
An employee will receive an email that asks for sensitive information like a request to switch account numbers or to move funds from one bank to another. However, the attacker will make the email look as though it came directly from a C-level executive, which is why these attacks have also become known as CEO fraud.
Web Application Attacks
In 2017, the external attack vector of choice turned from network-based attacks to web-facing application attacks. If a hacker can’t get through the firewall protecting a target’s network infrastructure, then they’ll move on to the next easiest place—the network’s applications. These could include, but aren’t limited to online forms, shopping carts, and email programs.
If a hacker breaches an application’s authentication process, they could potentially gain access to the entire network even if a firewall is in place. And this trend is increasing.
To learn more about application security and the risk of web application attacks, please see:
Although it’s difficult to hear, most cybersecurity breaches come from inside an organization. Simply put, a person gets hired, accesses the network, and performs malicious acts like acquiring sensitive customer data and attempting to profit from its sale to cybercriminals.
In July 2019, Capital One Financial Corporation determined they’d had a significant data breach. An employee gained access to over 100 million customer accounts, which included data like credit card and social security numbers. Then, she attempted to sell the information.
On occasion, the breach isn’t even intentional.
In 2014, hackers accessed the network of JPMorgan Chase & Co. through an employee’s home computer. The employee fell victim to a spear-phishing attack which targets specific individuals. The hackers had identified employee PCs as a network entry point and launched a coordinated effort to exploit this vulnerability.
The main reason cyberattacks are so prevalent and successful is because end users lack education about cyber-awareness, making them the weakest link in any security program. An action as simple as clicking on an unknown website or email attachment could provide a crucial attack point.
Complacency is its own kind of insider threat.
Often, organizations believe they’re safe simply because they have a network firewall in place.
If you’re not performing regular security assessments or thinking about the security of your web applications, chances are your organization could be at a higher risk for a cyberattack.
Likewise, if you’re only focusing on hot cybersecurity topics and the potential for new threats, you could be neglecting basic security initiatives and inadvertently introduce more risk to your organization.
So how do individuals and organizations protect themselves? The answer is part training and part technology.
Awareness training is a necessary first step in any security program, yet many organizations don’t take it. This is often because it requires time and resources to establish and commit to a training program. Backing of an organization’s governing body, management, human resources department, and IT may also be needed—which can sometimes overwhelm organizations.
Organizations should consider providing security awareness training for every new hire and instituting an annual refresher course for all employees. It’s imperative that organizations also employ other methods, such as a monthly email reminder or awareness posters in the break room, to frequently remind end users about safe computing habits.
Organizations must work to ensure their IT systems are current and include rigorous protections to deter and detect attacks, such as:
- Network infrastructure design and perimeter protections
- Anti-malware and data leakage strategy
- Security information and event management logging
- Incident response procedures
- Backup and restoration processes
Once these systems are in place, organizations stand to benefit from annual testing by an independent and qualified third party to help make sure they’re implemented properly.
It takes time and commitment to provide the training and technology to protect an organization, but when done properly, it can greatly reduce the risk of a cybersecurity breach.
We’re Here to Help
For more information on how to improve cybersecurity at your organization, contact your Moss Adams professional.