50 per cent of small businesses admit to have suffered data breaches involving customer and employee data in the past year, according to a new study by Ponemon Institute.
Negligent employees who fell victims to phishing schemes, contractors and third parties were the sources of most data breaches. However, almost one-third of companies in this research could not determine the root cause. Worrisome, right?
Companies also lack confidence when it comes to defending their assets, the research shows. Only 14% of the companies surveyed rated their ability to mitigate cyber attacks as highly effective. Not surprisingly, the study reveals that insufficient personnel, budget and technologies are seen as the primary reasons for low confidence in cybersecurity posture.
35% of respondents also blame their unpreparedness on the fact that IT security is not centralized to one specific function in a company. The result: reduced accountability and less informed decision making. And they are right – IT security needs to take a front seat in the boardroom. C-suites should treat cyber threats as an enterprise risk that ought to be addressed from a strategic, company-wide, and economic perspective.
When it comes to cyber-threats, three out of four survey respondents reported that exploits have evaded their anti-virus solutions. Exploits are attacks that take advantage of a vulnerability or weakness in the operating system or outdated applications (such as Internet Explorer, Java, Adobe Flash) to infect systems.
There are two basic types of exploits: known and unknown (zero-day exploits). Known exploits are the ones we have a record of and which software developers can fix through a software update. On the other hand, a zero-day attack happens when a flaw, or software/hardware vulnerability, is exploited before the developer gets a chance to patch it – hence the name “zero-day.”
Unfortunately, this type of attacks happen quite often as exploits kits are easily accessible online. Exploit kits include a set of commands that can make a system behave abnormally. They can be used to disrupt the activity in software, hardware and anything else that is electronic. One of the most notorious exploit kits used to facilitate drive-by downloads is the Angler exploit kit. Since 2013, it has been used to spread ransomware, malvertising and even in hacktivism campaigns.
The problem resides in the fact that exploit kits can detect installed security software. This means that if certain security products are protecting the device, the exploit kit will stop itself from running. Also, through various obfuscation techniques, the malicious payload takes a different appearance, which makes detection very hard.
Cybersecure Ltd. offers multiple endpoint protection solutions under its unique product portfolio. Get more information or price quotes.
Another constant security risk is the insider threat. 59% of respondents say they have no visibility into employees’ password practices and hygiene, while 65% do not strictly enforce their documented password policies. A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. These best practices also determine how long users can keep a password before they have to change it, how frequently old passwords can be reused or the minimum number of characters for a password.
If employees fail to respect and adhere to the company password policy, they can endanger the integrity of the whole corporate network. And starting recently, US citizens who share passwords with co-workers can even be prosecuted under the Computer Fraud and Abuse Act (CFAA). The decision comes after an employee at a headhunting firm accessed the company’s candidate database using the login credentials of a former assistant, who was still with the firm.