The 2016 Verizon data breach indicator report (DBIR) was released recently, described by Verizon as “… bigger than ever, examining over 100,000 incidents, including 2,260 confirmed data breaches across 82 countries. With data provided by 67 contributors including security service providers, law enforcement and government agencies, this year’s report offers unparalleled insight into the cybersecurity threats you face.
The report revealed that we continue to leave our information systems exposed for many months (even years in some cases), subscribing to the age old belief that the bad guys won’t be targeting us. Really? Surely, we don’t all subscribe to that belief? Not all attacks are targeted. In fact, a large number are simply opportunistic. And who can blame them, especially with the goldmines of valuable information just sitting out there on the Internet, ready for the taking. With a new data breach in the headlines every other week, one thing is certain: we cannot afford to leave our systems unpatched?
Of all the mitigating controls used to reduce the risk of a breach, keeping systems and applications patched up to date is one of the best. It’s not necessarily the easiest, however, it is the most cost-effective. Despite this, it’s clear that we still don’t patch our environments properly, leaving most businesses exposed to some extent or another.
You need to consider your entire environment. Where are all your systems? What versions are you running? Where are they located? What applications might also be exposed and require patching? All this being said, there will be systems that have dependencies of running outdated, legacy software where the replacement cost is high, so they possible need to be handled differently. Nevertheless, ignoring these issues will lead to a financial headache, and at some point you will be offering a sincere apology to your customers when their data appears on Pastebin. In some cases, you can use network segmentation to reduce the risk, so doing nothing is not the answer.
Before we look at the motivation behind attacks, one further statistic caught my eye. There is a dramatic upward trend of breaches affecting this type of asset, one that can’t be patched and somewhat unfortunately has a mind of its own. The human! Phishing campaigns yield incredible results for attackers, however, there are simple controls that can help reduce the risk. The most cost-effective and arguably simplest control is procedural in nature. A well-developed Security Awareness training and education programme will go a long way to building a security aware culture within the workplace. This will result in a reduced likelihood of phishing campaigns being successful. Credential theft will reduce as staff use more complex passwords as good practice – arising from their heightened awareness…Click HERE to find out more about this article
