Spring is the season for many things, including the publication of cybersecurity surveys. In the past few months, Verizon has published its Data Breach Investigations Reports, Ponemon Institute Published its 2016 Study on How Organizations Manage Data Breach Exposures, the California Attorney General published its annual California Data Breach Report, and a variety of others have published reports describing the state of cybersecurity and privacy, and the threats individuals and businesses face in online security. While the reports each contain important facts and focus on different aspects of cybersecurity, they also have some key lessons for enterprises that focus on risk reduction:
- The Human Factor – Whatever we might do to reduce risk using technical solutions, the problem remains with individual users – the human factor cannot be ignored. The Verizon report noted that recipients of phishing messages opened them 30% of the time, and 12% of those targets took the next, and destructive, step to open the malicious attachment or web link. In other words, despite the publicity and warnings that bombard us daily, users are still likely to bypass their training and open their computers (and networks) to malware. Firewalls, sandboxes, virus detection and other protective measures cannot overcome a single user that clicks on the wrong attachment or website. While much has been done, there is much to do.
- Hackers are much faster than we are – In almost all cases a data breach was compromised in minutes. We, the defenders, typically take weeks to detect a breach. During that time, the hacker can burrow further and further into our systems and compromise data. Unless users can become more nimble and respond quickly and effectively, we can expect breaches to grow in size and impact.
- The most common risks play a big role — A few well-known vulnerabilities account for the bulk of the risk. Verizon reported that 85% of successful malware traffic was attributed to the top 10 Common Vulnerabilities and Exposures, or CVEs. This leads to an important conclusion: focusing on the most common vulnerabilities will create the best results. Once again, the low hanging fruit may reap the greatest rewards.
- Ransomware has become the preferred attack for hackers – The single most used technique used by hackers in 2015 was, according Verizon, ransomware. Ransomware allows hackers a great return on their time and investment, and is rapidly developing into new and more destructive variants. Unless users take the steps necessary to counter ransomware – training personnel and preparing for the attack – we can expect ransomware to expand and become even more threatening.
- Key Lessons
- Train users. The Human Factor is still the weakest link; phishing and spear-fishing continues to be highly effective for attackers to leverage their way into systems. Training needs to be accomplished as part of the culture of an enterprise, including everyone with access to systems, whether they be executive employees, line personnel or outside contractors.
- Risk Assessment. Users must identify the risks to which the enterprise is subject. Each entity has a different risk profile, with unique vectors, capabilities and characteristics. A firm can only reduce risk by identifying risk, not by applying “one size fits all” solutions. Understanding the risks a user faces will allow for specific, effective countermeasures.
- Accelerate detection and response. A key advantage of hackers is their speed. It may be impossible to avoid zero-day vulnerabilities, but an enterprise can and should create effective and prompt response to discovered vulnerabilities. Speed up detection capabilities. When preventive controls fail, quick detection can help minimize the overall impact.
- Don’t forget the simple stuff. Patch top vulnerabilities in operating systems, applications, and firmware. Users must learn to take action quickly or suffer what can be sever consequences. Patching vulnerabilities is a race between the user and the hacker, and users should prioritize their tasks based upon the severity of the risk – reminding us that risk assessment is key. There is no reason that serious vulnerabilities should languish for months or years. We have learned to lock the doors of our homes and automobiles; we need to do the same with our computers and mobile devices.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.