Reports / Surveys
Two in three SMBs suffered cyberattacks and data breaches in the past year
In the past twelve months, 66% of small to mid-sized businesses (SMBs) were at the receiving end of a cyberattack, and almost as many firms (63%) suffered a data breach, according to a recent study by Keeper Security and Ponemon Institute. The most common attacks targeting SMBs were:
- Phishing / social engineering attacks (53%)
- Web-based attacks (50%)
- General malware infections (39%)
- Device theft / compromise (37%)
- Credential theft (29%)
- Advanced malware infections (29%)
- Denial of service attacks (29%)
78% of CSOs and 65% of CEOs click on risky links
A recent survey by Code42 found that, even though C-suite members should set an example for their staff when it comes to cybersecurity hygiene, 78% of CSOs and 65% of CEOs have clicked on URLs they shouldn’t have interacted with, which is far higher than the average "risky click" numbers for cybersecurity and business decision makers (43% and 49%, respectively). In the past 18 months, 38% of organizations suffered a data breach. When asked about the causes of these incidents, infosec and business staff pointed to:
- Employees (50% and 53%)
- Third-parties (45% and 47%)
- External actors (28% and 22%)
- Software failure (27% and 23%)
- Hardware failure (20% and 25%)
Compliance is not a guarantee against data breaches
While organizations overwhelmingly agree (85%) that compliance and security are closely related issues that ought to be tackled together, they also indicate that compliance alone won’t keep them safe from cyberattacks and data breaches, a new report by Advisera shows. According to survey respondents, the most common causes of data breaches are:
- A lack of security awareness among employees (90%)
- The absence of security processes (75%)
- The absence of technical standards (71%)
Only 52% of companies said that compliance failures often contribute to data breaches.
95% of malware threats are polymorphic
19 out of 20 (95.2%) malware samples encountered by Webroot in the first half of 2019 were unique to a single device, according to the company’s mid-year threat update. This indicates that cyber campaigns now almost exclusively rely on polymorphic code that changes itself with every infection in order to avoid detection. Organizations that still rely on Windows 7 are increasingly under attack: malware campaigns targeting this operating system are up 71% from last year. The report also notes that phishing campaigns are getting increasingly sophisticated, with 24% of malicious URLs being hosted on trusted (but compromised) domains, and 29% of phishing websites using HTTPS. Both of these techniques significantly increase the odds of a victim believing a nefarious websites to be safe.
80% of cybersecurity incidents result from employee errors
A recent SolarWinds survey among IT professionals suggests that employees pose a much bigger threat to companies than both network or application security shortcomings and external threat actors. In the past year, errors by staff members contributed to 80% of cybersecurity incidents, while the other two causes were linked to only 36% and 31% of security breaches, respectively. Respondents said that employees often put companies at risk due to a variety of bad password habits, such as failing to choose strong passwords, poorly managing passwords and sharing them.
Freaky Infosec Fact of the Week
Hackers have retrieved Wi-Fi passwords from smart light bulbs
Earlier this year, a security researcher discovered that certain LIFX smart lighting bulbs stored Wi-Fi passwords and other sensitive data in plaintext. This could allow threat actors to retrieve the information from discarded bulbs.
What You Can Do
One of the biggest concerns identified from this threat summary is the number of C-level executives that participate in phishing attacks. In our experience when performing phishing assessments, C-level executives are usually considered to be out-of-scope (requested by clients) to avoid any potential conflicts. However, it is very evident that, in the real world, C-level executives are actually indeed big targets.
To maximize the value of a phishing assessment and properly evaluate the effectiveness of security awareness training, all employees should be tested during a phishing assessment, including CEOs and other C-level executives.
About Vonahi Security
Vonahi Security is a cybersecurity consulting firm that offers modern consulting services to help organizations achieve both compliance and security best practices. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Managed Security, Adversary Simulations, Strategy & Review, and User Education & Awareness. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit www.vonahi.io.