Fool me once, shame on you, fool me time and time again, and well, you know the rest. That famous saying falls in line with security as nine types of basic attack threats hit companies over 90 percent of the time as firms repeatedly fall for the same type of scams and attacks for a decade.
After analyzing 10 years’ worth of data covering 100,000 security incidents, 92 percent trace back to nine attack vectors, according to the Verizon annual Data Breach Investigations Report (DBIR).
The nine threats include malware attacks, device loss or theft, distributed-denial-of-service (DDoS) attacks, payment card skimming and web app attacks.
The remaining four attacks are cyber-espionage, point-of-sale intrusions, insider theft and miscellaneous errors, such as sending emails with sensitive data to the wrong person.
On top of all that, there are certain sectors more prone to certain types of attacks, making it even easier for hackers to hit their targets.
In manufacturing 54 percent of attacks are cyber-espionage and DDoS, while in retail the majority of attacks are DDoS (33 percent) and point-of-sale intrusions (31 percent), the report said.
Verizon said in the financial services sector, three quarters of all incidents trace to just three types of incident: web application attacks, distributed denial of service and card skimming.
“Organizations need to realize no one is immune from a data breach,” said Wade Baker, principal author of the Data Breach Investigations Report. The wealth of data presented the worrying conclusion the “bad guys are winning” and firms need to take note, he said.
“Compounding this issue is the fact that it is taking longer to identify compromises within an organization – often weeks or months – while penetrating an organization can take minutes or hours,” Baker said.
However, Jay Jacobs, principal on Verizon’s Risk Team, said there was a silver lining to all of this. By laying out the attack patterns plaguing each industry, companies have a better understanding of what needs protecting, he said.
“This will help people work out what they should focus on. Often they’re told to do 50 things to protect themselves, but with this data, we can tell them the five key things they should focus on, before the other 45,” he said.
Jacobs added major incidents from the past 12 months, like the attack on Target, show the need for better security login tools, such as two-factor authentication are a must, as hackers go after user credentials.
“The solution [to these threats] is not to look for alternatives to the username and password login, but to add to it, such as with the ‘what you have’ method where you have a key fob or an app on your mobile that generates a code that you use alongside your credentials,” he said.
Click here to register for the report.