You know how long it took cyber attackers to compromise any given system in 2016? In 93% of cases reviewed in a new report from Verizon Enterprise Solutions (VES), it took just minutes, or even less.
Meanwhile, those who were attacked took, at minimum, weeks in most cases to find out they had been breached, and in most cases it was customers or even law enforcement that first picked up on the breach.
It’s an alarming trend VES discovered in its Data Breach Investigations Report (DBIR), which combed through 100,000-plus incidents and 2,260 breaches in 82 countries, and concluded that the C-suite in businesses need to better understand the risks associated with cyber attacks.
Nearly 90% of all attacks involve financial or espionage motivations, the top 10 known vulnerabilities account for 85% of successful exploits (despite being well known and unpatched for months and even years) and nearly two-thirds of confirmed data breaches involve one of the best-known issues around: weak, default and stolen passwords.
“This year’s report once again demonstrates that there is no such thing as an impenetrable system, but often times even a basic defense will deter cybercriminals who will move on to look for an easier target,” said Bryan Sartin, executive director of global security services for VES.
Ransomware attacks were up by 16%, but what really caught Verizon’s eye was the dramatic rise in phishing (an end user receiving an email from a nefarious source): a full 30% of phishing messages were opened, up 7% year over year, and a nearly 15% actually clicked on the infected attachment or link included.
Phishing used to be something only cyber criminals with an espionage bent utilized, according to the report, but it’s become increasingly commonplace for those motivated by money as well, for its ability to compromise systems quickly, and target specific individuals and organizations.
“Forget that Hollywood movie. Most cyber attacks are indiscriminate and motived by greed — not revenge or public service,” the report reads. “Most attackers are out to steal your data because of what it’s worth, not who you are. Anything that can be converted to money will do. As the value of payment card information falls—as banks improve fraud detection — attackers may increasingly turn to things like intellectual property and protected health information.”
Sartin said the “human element” continues to play a major role in how exploits occur all the advances in information security research and cyber detection tools mean little when employees continue to fall prey to phishing emails, open themselves up to malware on their PCs and laptops, and have their credentials stolen and used for third-party sites.
“The goal is to understand how the cybercriminals operate,” Sartin said. “By knowing their patterns, we can best prevent, detect and respond to attacks.”