Reports / Surveys
Two-thirds of companies are vulnerable to insider threats
More than two-thirds (68%) of organizations think they are moderately (47%), very (16%) or extremely (5%) vulnerable to insider threats, while just 5% don’t think they are vulnerable at all, a recent study by Gurucul and Cybersecurity Insiders indicates. Moreover, less than half (48%) of companies have implemented appropriate measures to mitigate against insider threats, and only 42% believe they are very effective at monitoring, detecting and responding to insider attacks. This is obviously very concerning, and things only seem to be getting worse, with 68% of firms noticing an increase in insider threats in the past year. Organizations are most concerned with insider attacks involving:
- Privileged users and admins (63%)
- Regular staff members (51%)
- Contractors, service providers and temporary staff (50%)
- Privileged business users and executives (50%)
Phishing volume reaches highest level since Q4 of 2016
In the third quarter of this year, phishing attack volume increased by 46% and reached the highest level since Q4 of 2016, a new APWG report[pdf] shows. The number of targeted companies also surged from 313 per month in Q2 to over 400 per month in Q3. The industries experiencing most attacks included:
- Software-as-a-service (SaaS) / Webmail (33%)
- Payment (21%)
- Finance (19%)
PCI DSS compliance falls to just 36.7%
A new report by Verizon shows that in 2018, PCI DSS compliance fell for the second year in a row, reaching 36.7%, the lowest level since 2013. In 2017 compliance was still at 52.5%, which already represented a slight drop from the year before when it stood at 55.4%. Moreover, compliance was significantly lower in the Americas (20.4%) than in Europe, the Middle East and Africa (EMEA, 48%) and the Asia-Pacific (APAC, 69.9%) region. The study also notes that none of the organizations that experienced a data breach were fully PCI DSS compliant at the time. However, this should not be taken to mean that compliance equals security, for true security goes far beyond compliance standards. Instead, it could indicate that security is more difficult to achieve in the absence of compliance, or simply that organizations failing to sufficiently invest in their PCI DSS compliance strategy are also less likely to invest in security.
Only 30% of firms are very confident about their security posture
Less than one-third of security professionals report high levels of confidence when it comes to the cybersecurity posture of their company (30%), and the security solutions they have implemented (31%), a recent survey by Nominet found. In addition, just (17%) of infosec pros believe their security stack to be fully effective. This lack of cybersecurity confidence puts many firms in an awkward position, especially because 71% of them actually use their alleged resilience to cyber threats as a selling point to partners and customers.
Malware attacks targeting healthcare up 45%
Cyberattacks on endpoints in the healthcare industry rose by 45% in the third quarter of this year, according to new research by Malwarebytes. Healthcare is now the seventh-most targeted sector behind education, manufacturing, services, retail, other, and government. The biggest malware threats to healthcare organizations are:
- Trojans (59% of total, increased by 82% quarter-over-quarter)
- Ransomware (12% of total, increased by 15% QoQ)
- Malware (11% of total, increased by 7% QoQ)
- Adware (9% of total, increased by 34% QoQ)
In the past year, the most prevalent Trojans targeting healthcare were TrickBot and Emotet.
Freaky Infosec Fact of the Week
Hackers have stolen Wi-Fi credentials by exploiting flaws in smart doorbells.
In June of this year, security researchers with Bitdefender discovered a serious vulnerability in the Amazon Ring Video Doorbell[pdf] that enabled them to intercept login credentials for the home Wi-Fi networks the doorbells were attached to.
What You Can Do
As phishing volume reaches its highest level since Q4 of 2016, this indicates that organizations should consider performing a phishing assessment on a frequent basis, if not already. Since humans are an organization's top threat, what would your users do if someone simply asked for information? The only way you could find that out is by performing a phishing assessment. Training helps educate, but phishing helps ensure that the education is effective.
Additionally, 30% of firms are confident about their security posture, which is not a lot. We believe that this could be increased by organizations performing more security assessments within their organization. By performing a more frequent security assessment, such as by leveraging vPenTest, an organization can understand what their risks are in real-time, and then re-perform the assessment a month later. It is far too common that security threats that exist today have existed last year as well, and organizations aren't finding out until their next yearly assessment.
About Vonahi Security
Vonahi Security is a cybersecurity consulting firm that offers modern consulting services to help organizations achieve both compliance and security best practices. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Managed Security, Adversary Simulations, Strategy & Review, and User Education & Awareness. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit www.vonahi.io