Understanding your risks and doing the basics well goes a long way to protecting your assets.
Published today, the Verizon Data Breach Investigations Report (DBIR) 2019 examines over forty-thousand cybersecurity incidents and over two-thousand breaches. The report acts as a kind of industry barometer for cyber-attacks, giving insight into trends experienced across industries and providing empirical data to help cybersecurity practitioners prioritise how they combat these attacks.
Mishcon de Reya are an annual contributor to the report and the wider findings match many of our own observations when managing and investigating cyber incidents on behalf of our clients.
So what do the numbers tell us and what was MDR Cyber’s experience in the past year?
Financially-motivated crime doesn’t get the limelight…
Despite extensive media coverage, most cyber-attacks are not carried out by government spies looking for secrets or to sabotage their enemies. Only 23 per cent of breaches were identified in the report as carried out by nation-state actors while the majority of attacks were motivated by money.
Financially-motivated cyber crime often goes unreported or unpoliced in the UK, however it is a bigger problem than ever. At MDR Cyber we help clients manage financially-motivated incidents and, where possible, recover funds they have lost. There is a greater need than ever for swift responses to stop money moving, including cyber investigation and legal options. Organisations do not realise there may be other options available to them when faced with these kinds of incidents.
…and state-sponsored attacks are linked to strategic business goals
Despite this, attacks carried out by state-sponsored adversaries can and do happen. When they do, our experience shows that they have largely been connected with a strategic business goal that is often predictable, such as a significant merger or acquisition.
In the last year we have helped clients manage state-sponsored incidents that could have been recognised as part of their risk register early on through better intelligence or deeper connections between business strategy and cyber security risk management.
Small businesses are targeted…
Forty-three per cent of victims were small businesses and therefore less likely to have the resources to respond to cyber security incidents and maintain day-to-day operations. We have been called in to help small clients focus and implement both financial and IT recovery, so staff are not overwhelmed and make mistakes. Many small businesses would benefit from having partnerships in place with incident response companies to help respond to incidents on short notice.
…and humans are still a weak link
The rise in so called “social engineering” is clear from the report. Attackers see humans as “hackable” and trick them into disclosing information or providing access. This information can be used to target businesses, or increasingly individuals. Not only that, but threats delivered via mobile devices are particularly trusted by users, who don’t practice the same care through their handheld devices as on their computers.
Phishing still works, and will continue to work for the foreseeable future. While we may now no longer fall for a common spam phishing email, we are now seeing new types of targeted attacks that are harder to identify. Many of our clients can spot 95 per cent of e-mail issues, but struggle to deal with the 5 per cent that are more sophisticated, and yet it is these that can often cause the most harm.
Having security policies, email controls and user education that accounts for the more advanced phishing attacks goes a long way to protecting your business.
Attackers will often use the path of least resistance.
We see more and more simplistic attacks, using the least amount of technology and steps. In our experience this is because these simple attacks, simply work. We also see a lack of simple security controls across many of the incidents we manage.
Twenty-nine per cent of breaches involved stolen credentials. We have seen more and more attacks against corporate cloud email using phishing tactics to gain passwords. Many businesses would significantly reduce their risks by introducing two-factor authentication and monitoring for unusual activity.
Doing the basics goes a long way to preventing these attacks and improving your cyber hygiene should be one of the first places to start on any security programme.
The first step is knowing your weak spots in an ever-changing threat landscape, then putting in place the practical steps that drive the most impact. Get in touch with us at MDR Cyber if you’d like to discuss what the right options are for your business.