Phishing and Compromised Passwords Top Causes for Last Year's Security Breaches
Verizon released their ninth annual Data Breach Investigations Report (2016DBIR) earlier this year, which reports on the major security breaches and methods used by hackers to compromise businesses and governmental organizations. When it comes to hacking, organized crime syndicates lead the way with phishing email schemes that are culpable in 89% of security breaches, followed by “state-affiliated actors” which accounted for another 9% of attacks.
Phishing has transitioned from the “good ole” days when clicking on the link would take you to an obviously fake bank site to capture your login credentials. The 2016DBIR study found that 70% to 90% of malware hitting an organization is “unique” to that organization, meaning that the hackers slightly modified the malware signature hashtags so it would look like a NEW virus, even though the malware impact was the same (loading ransomware, capturing login credentials, etc.). This means that today’s stealthier version is usually customized to each company and tricks more victims into downloading a viable looking invoice or RFP request.
The scary fact is that even with all the media awareness, the 2016DBIR verified the percentage of victims responding to phishing emails is on the rise. The report found that this past year 30% of phishing messages were opened, compared to 23% in 2014, and between 10% and 20% in the previous two years. 2016DBIR also found that in 2015, the number of personnel opening a phishing email and actually clicking on the link and/or downloading the malware attachment increased to 12% (compared to 11% that were victimized in 2014).
Another scary trend is that the time it takes for people to actually receive the email and be compromised is happening faster. Of those individuals that received a phishing email in 2015, the median time for them to open the email was 100 seconds, and to click on the attachment was 3 minutes 45 seconds. With the infections happening faster, both the anti-virus vendors and firm IT departments are having a harder time responding timely. Which leads to firms needing to expand beyond traditional approaches to deal with these attacks.
The Verizon 2016DBIR suggests companies address this by first, not relying solely on antivirus software. Firms should consider filtering email before messages are received by the end user which can be done by dedicated appliances and third party remailers that are constantly being updated. Next, firms should talk with their IT consultants about implementing improved detection and response capabilities (such as monitoring outbound traffic for unusual connections and large file transfers). And finally, the area where firm administrators can lead the charge: making sure your people receive security education on a continual basis as to what they should be looking out for and be suspicious of. The “glass half full” view of the finding is while 30% opened the emails, 70% did not, and that is the group that you want YOUR personnel to be included with.
2016DBIR also found that 63% of the confirmed data breaches were facilitated by compromised credentials, meaning they were caused by stolen/weak passwords, and still today, some end users not changing default passwords! Firms should mandate all personnel change their passwords at least four times per year with “hardened” rules consisting of at least eight characters with an uppercase, lowercase, number and special character. Microsoft Exchange can be configured to force this as well as locking out an account after ten failed attempts and not being able to use any of the last ten passwords. Firms can also consider using a password manager (LastPass) or requiring dual factor authentication (Duo, RSA) Dual factor requires a confirmation on the individual’s smartphone or having a device that provides a security code for the user to key into the system to gain access.
While changing passwords and attending “another security briefing” seem painful, these two steps significantly reduce the odds of your firm being another unfortunate headline. A full copy of Verizon’s 2016 Data Breach Investigations Report can be downloaded here.
Roman H. Kepczyk, CPA.CITP is the Director of Consulting for Xcentric, LLC and works exclusively with accounting firms to implement today’s leading best practices and technologies incorporating Lean Six Sigma methodologies to optimize firm production workflows. Roman is also the author of “Quantum of Paperless: A Partner’s Guide to Accounting Firm Optimization” which includes the results of the CPAFMA 2016 Information Technology Survey.