The 2017 Verizon Data Breach Investigations Report (DBIR) was released late last week. Perhaps not surprisingly, the DBIR noted that ransomware is on the rise and, with a 50 percent increase, is now the most common specific malware variety.
Cyberespionage, however, is not as expected. The DBIR found that cyberespionage is the most common type of attack seen in manufacturing, the public sector and education. Of the 2000 breaches analyzed, more than 300 were cyberespionage related, and a good many of this type of attack began as a phishing email.
Doesn’t it so often seem that cyberattacks come back to phishing and social engineering? In fact, the DBIR found that one in 14 users were tricked by a phishing scam this past year – and worse, 25 percent of those users were fooled multiple times. No wonder John Bambenek, threat research manager with Fidelis Cybersecurity, stated in an email comment that the continued rise of phishing and social engineering-based scams shows that organizations aren’t addressing the most basic or simple cybersecurity issues. He continued:
Security awareness that is effective is actually key to help employees detect and not fall victim to phishing. It bears reminding that much of the DNC and election related hacking incidents, at their core, were phishing, not sophisticated zero-day style attacks.
Bambenek also expressed concern at education being a rising target for cyberespionage; yet, educational institutions are set up to be lucrative targets. It makes sense to me. Security is often weak on campuses, and with a steady turnover of access and endpoints, it is difficult to put strong security controls in place without interrupting the free flow of information exchange. At the same time, colleges and universities are involved in research activities that are of high interest to nation states. As Bambenek added:
It just isn’t a fair fight and great effort needs to be undertaken post haste.
Education suffers with the same problem that every other industry does – standing pat when it comes to security defenses. As the DBIR’s executive summary stated:
Many organizations are still relying on defenses that are out of date. It’s tempting, especially if you didn’t suffer a major incident, to keep the same defenses from year to year. But are those defenses aligned with the threats that organizations like yours really face?
This might explain why phishing and social engineering are still such a big problem. Could it be that security awareness training hasn’t evolved with the way cybercriminals target their attacks? They are very good at what they do – at what point does industry begin to keep up?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba