Humans remain the weak link in corporate data protection, but you might be surprised hat it isn't only rank-and-file employees duped by phishing scams who pose risks. Some companies are lulled into a false sense of cybersecurity by vendors. You read that right:Some enterprises believe the shiny new technologies they've acquired will protect them from anything.
Just ask Theodore Kobus, leader of BakerHostetler’s Privacy and Data Protection team.
While Kobus was conducting an educational workshop on endpoint monitoring, an employee for a large company mentioned a tool that it had deployed to watch over computing devices connected to the corporate network. Kobus told him the move was great because it will help speed up the time it takes to detect an incident. The employee pushed back and said, "No, it's much more than that; it's going to stop these attacks."
Taken aback by the staff's confidence in a single tool, Kobus explained the inherent dangers in believing cybersecurity technologies, no matter their speedy detection capabilities, are fool-proof.
"We talked things through and they realized -- because they weren't really thinking at the time -- that zero-day attacks are not going to be blocked by what they have in place and they need to understand what the tools are used for," says Kobus, whose team has helped enterprises address 2,000 breaches in the past five years. "That's a big problem that we're seeing. Companies really need to focus on the key issues to help stop these attacks from happening in the first place."
The anecdote underscores just how vulnerable companies are to attacks despite instituting proper protections, says Kobus, who explored the points in BakerHostetler's 2017 Data Security Incident Response Report, which incorporated data from the 450 breaches his team worked on in 2016. Companies surveyed ranged from $100 million to $1 billion in revenues across health care, retail, hospitality, financial services, insurance and other sectors.
Phishing, human error and ransomware, oh my!
At 43 percent, phishing, hacking and malware incidents accounted for most incidents for the second year in a row, a 12 percentage-point jump from the firm’s incident response report in 2015. Thirty-two percent of incidents were initiated by human error, while 25 percent of attacks involved phishing and 23 percent were initiated via ransomware. Another 18 percent of comprises occurred due to lost or stolen devices and three percent reported internal theft.
Phishing is particularly difficult to stop, Kobus says, because digital natives -- those who grew up accustomed to the rapid-fire response cadence of social media are programmed to answer emails from their coworkers quickly. Accordingly, many fall prey to business email comprises that appear to come from their CEO, CFO or another peer but in reality include a malicious payload.
"Phishing scams are never going to go away," Kobus says. "No matter what technology we put in place, no matter how much money we spend on protections for the organization, we still have people and people are fallible." With the rise of such social engineering attacks, Kobus says it's important for IT leaders to caution employees to slow down, stop and consider such emails and either walk down the hall or phone to ask a colleague if they sent the email.
Ransomware attacks – in which perpetrators introduce malware that prevents or limits you from accessing your system until a ransom is paid - have increased by 500 percent year-over-year, with BakerHostetler responding to 45 such incidents in 2016. Ransomware scenarios range from sophisticated parties that break into the network and then broadly deploy ransomware to hundreds of devices, while others are carried out by rookies who bought a ransomware kit. BakerHostetler saw several demands in excess of $25,000, almost all of which called for payment via Bitcoin.
But most companies took several days to create and fund their Bitcoin wallet to pay the perpetrator(s), says Kobus, who added that ransomware incidents will probably increase over the short term because companies have proven unable to manage let alone prevent them.
Cybersecurity programs need work
The report findings suggest enterprises have more work to do with regard to shoring up their cybersecurity practices. Kobus, whose team of 40 conducts 75 "table-top exercises" involving incident response with corporations each year, says that companies are better-served by going back to the basics, starting with proper training and planning of cyber defenses rather than rushing out to buy the shiniest new technology on the market.
Companies should, for example, teach their workforce what phishing scams look like and pepper employees with fake phishing emails to test readiness. Other basic security measures include implementing multifactor authentication to remotely access any part of the company’s network or data; creating a forensics plan to quickly initiate a cybersecurity investigation; building business continuity into the incident response plan to ensure systems remain stable; vetting the technical ability, reputation and financial solvency of vendors; deploying off-site or air-gapped back-up systems in the event of ransomware; and acquiring the appropriate cyber insurance policy.
There is no one-size-fits-all approach to cybersecurity readiness. It invariably requires an enterprise-wide approach tailored to the culture and industry of the company, accounting for regulatory requirements. And in the event of a breach, communication and transparency to consumers is paramount, Kobus says.
“It’s really about getting in there and helping them manage the breach,” says Kobus, adding that includes working with security forensics and corporate communications teams to craft the right messaging. “The goal is to communicate in a transparent, thoughtful and meaningful way. You want to be able to answer the basic questions the consumers want answered: What happened? How did it happen? What are you doing to protect me? What are you doing to stop this from happening in the future?”