Regardless of an organization’s security posture, there is no perfect security. On the other hand, there is no excuse not to implement fundamental security best practices. All organizations, regardless of size, must plan for inevitable attacks and loss of (or loss of access to) critical data. By recognizing risks, planning ahead and instilling a culture of security and privacy in the entire organization, losses and their impact can be minimized. As in previous years, OTA analyzed reported breaches through Q3 2017 and found that 93% were avoidable, which is consistent with previous years’ findings. Of the reported breaches, 52% were the result of actual hacks, while 11% were due to lack of internal controls resulting in employees’ accidental or malicious events. Regular patching and paying close attention to vulnerability reports has always been a best practice and neglecting them is a known cause of most breaches,24 but this category received special attention this year in light of the Equifax breach.
The vast majority of other types of attacks – ransomware and BEC – are initiated by deceptive or malicious emails. Analysis reveals that these too are avoidable, by blocking fake messages and training users to recognize spearphishing attacks. In addition to better processing of email, there are several other steps that can prevent or limit the impact of ransomware, which include updated system and security software as well as regular data backups.25 Since BEC attacks rely almost entirely on “social engineering” deception and rarely include any malicious links or attachments, better processing of email can generally stop these attacks in their tracks. Unfortunately, the day-to-day urgency of business often prevents organizations from appropriately defending against these emailbased attacks.
Key avoidable causes for incidents:
• Lack of a complete risk assessment, including internal, third-party and cloud-based systems and services • Not promptly patching known / public vulnerabilities, and not having a way to process vulnerability reports • Misconfigured devices / servers • Unencrypted data and/or poor encryption key management and safeguarding • Use of end of life (and thereby unsupported) devices, operating systems and applications • Employee errors and accidental disclosures - lost data, files, drives, devices, computers, improper disposal • Failure to block malicious email • Users succumbing to Business Email Compromise & social exploits