Phishing and Compromised Passwords Top Causes for Last Year's Security Breaches

Phishing and Compromised Passwords Top Causes for Last Year's Security Breaches

Published August 25, 2016

Verizon released their ninth annual Data Breach Investigations Report (2016DBIR) earlier this year, which reports on the major security breaches and methods used by hackers to compromise businesses and governmental organizations.  When it comes to hacking, organized crime syndicates lead the way with phishing email schemes that are culpable in 89% of security breaches, followed by “state-affiliated actors” which accounted for another 9% of attacks. 

Phishing has transitioned from the “good ole” days when clicking on the link would take you to an obviously fake bank site to capture your login credentials. The 2016DBIR study found that 70% to 90% of malware hitting an organization is “unique” to that organization, meaning that the hackers slightly modified the malware signature hashtags so it would look like a NEW virus, even though the malware impact was the same (loading ransomware, capturing login credentials, etc.). This means that today’s stealthier version is usually customized to each company and tricks more victims into downloading a viable looking invoice or RFP request.

The scary fact is that even with all the media awareness, the 2016DBIR verified the percentage of victims responding to phishing emails is on the rise. The report found that this past year 30% of phishing messages were opened, compared to 23% in 2014, and between 10% and 20% in the previous two years. 2016DBIR also found that in 2015, the number of personnel opening a phishing email and actually clicking on the link and/or downloading the malware attachment increased to 12% (compared to 11% that were victimized in 2014).    

Another scary trend is that the time it takes for people to actually receive the email and be compromised is happening faster. Of those individuals that received a phishing email in 2015, the median time for them to open the email was 100 seconds, and to click on the attachment was 3 minutes 45 seconds.  With the infections happening faster, both the anti-virus vendors and firm IT departments are having a harder time responding timely.  Which leads to firms needing to expand beyond traditional approaches to deal with these attacks.

The Verizon 2016DBIR suggests companies address this by first, not relying solely on antivirus software. Firms should consider filtering email before messages are received by the end user which can be done by dedicated appliances and third party remailers that are constantly being updated. Next, firms should talk with their IT consultants about implementing improved detection and response capabilities (such as monitoring outbound traffic for unusual connections and large file transfers).  And finally, the area where firm administrators can lead the charge: making sure your people receive security education on a continual basis as to what they should be looking out for and be suspicious of.  The “glass half full” view of the finding is while 30% opened the emails, 70% did not, and that is the group that you want YOUR personnel to be included with.

2016DBIR also found that 63% of the confirmed data breaches were facilitated by compromised credentials, meaning they were caused by stolen/weak passwords, and still today, some end users not changing default passwords!  Firms should mandate all personnel change their passwords at least four times per year with “hardened” rules consisting of at least eight characters with an uppercase, lowercase, number and special character.  Microsoft Exchange can be configured to force this as well as locking out an account after ten failed attempts and not being able to use any of the last ten passwords.  Firms can also consider using a password manager (LastPass) or requiring dual factor authentication (Duo, RSA)  Dual factor requires a confirmation on the individual’s smartphone or having a device that provides a security code for the user to key into the system to gain access.

While changing passwords and attending “another security briefing” seem painful, these two steps significantly reduce the odds of your firm being another unfortunate headline.  A full copy of Verizon’s 2016 Data Breach Investigations Report can be downloaded here

Roman H. Kepczyk, CPA.CITP is the Director of Consulting for Xcentric, LLC and works exclusively with accounting firms to implement today’s leading best practices and technologies incorporating Lean Six Sigma methodologies to optimize firm production workflows. Roman is also the author of “Quantum of Paperless: A Partner’s Guide to Accounting Firm Optimization” which includes the results of the CPAFMA 2016 Information Technology Survey. 

MEMBER SPOTLIGHT

Let’s highlight and celebrate our members! Click here to submit yourself and/or your company to be featured.

Recent Posts

Browse Archives

Apr 2024
Jan 2024
Jun 2023
Dec 2022
Nov 2022
Oct 2022
Jul 2022
Jun 2022
Mar 2022
Jan 2022
Nov 2021
Sep 2021
Jul 2021
Jun 2021
May 2021
Apr 2021
Feb 2021
Jan 2021
Dec 2020
Oct 2020
Sep 2020
Aug 2020
Jul 2020
May 2020
Apr 2020
Jan 2020
Nov 2019
Oct 2019
Aug 2019
May 2019
Apr 2019
Jan 2019
Dec 2018
Oct 2018
Sep 2018
Aug 2018
Jul 2018
Jun 2018
May 2018
Apr 2018
Feb 2018
Jan 2018
Dec 2017
Oct 2017
Jul 2017
Jun 2017
May 2017
Apr 2017
Mar 2017
Feb 2017
Jan 2017
Dec 2016
Nov 2016
Oct 2016
Sep 2016
Aug 2016
Jul 2016
Jun 2016
Apr 2016
Mar 2016
Dec 2015
Nov 2015
Oct 2015
Sep 2015
Jun 2015
Apr 2015
Mar 2015
Feb 2015
Jan 2015
Dec 2014
Nov 2014
Oct 2014
Sep 2014
Aug 2014
Jul 2014
Jun 2014