Humans remain the weak link in corporate data protection, but you might be surprised that it isn't only rank-and-file employees duped by phishing scams who pose risks. Some companies are lulled into a false sense of cybersecurity by vendors. You read that right: Some enterprises believe the shiny new technologies they've acquired will protect them from anything.
Just ask Theodore Kobus, leader of BakerHostetler’s Privacy and Data Protection team.
Theodore Kobus, BakerHostetler’s Privacy and Data Protection team. Credit: BakerHostetler
While Kobus was conducting an educational workshop on endpoint monitoring, an employee for a large company mentioned a tool that it had deployed to watch over computing devices connected to the corporate network. Kobus told him the move was great because it will help speed up the time it takes to detect an incident. The employee pushed back and said, "No, it's much more than that; it's going to stop these attacks."
Taken aback by the staff's confidence in a single tool, Kobus explained the inherent dangers in believing cybersecurity technologies, no matter their speedy detection capabilities, are fool-proof.
"We talked things through and they realized -- because they weren't really thinking at the time -- that zero-day attacks are not going to be blocked by what they have in place and they need to understand what the tools are used for," says Kobus, whose team has helped enterprises address 2,000 breaches in the past five years. "That's a big problem that we're seeing. Companies really need to focus on the key issues to help stop these attacks from happening in the first place."
The anecdote underscores just how vulnerable companies are to attacks despite instituting proper protections, says Kobus, who explored the points in BakerHostetler's 2017 Data Security Incident Response Report, which incorporated data from the 450 breaches his team worked on in 2016. Companies surveyed ranged from $100 million to $1 billion in revenues across health care, retail, hospitality, financial services, insurance and other sectors.
Phishing, human error and ransomware, oh my!
At 43 percent, phishing, hacking and malware incidents accounted for most incidents for the second year in a row, a 12 percentage-point jump from the firm’s incident response report in 2015. Thirty-two percent of incidents were initiated by human error, while 25 percent of attacks involved phishing and 23 percent were initiated via ransomware. Another 18 percent of comprises occurred due to lost or stolen devices and three percent reported internal theft.
Phishing is particularly difficult to stop, Kobus says, because digital natives -- those who grew up accustomed to the rapid-fire response cadence of social media are programmed to answer emails from their coworkers quickly. Accordingly, many fall prey to business email comprises that appear to come from their CEO, CFO or another peer but in reality include a malicious payload.
Sign up for CIO Asia eNewsletters.