A new report from Verizon shows that ransomware attacks on retailers have doubled since 2017 and now target business critical systems.
Verizon’s 2018 Data Breach Investigations Report (DBIR) shows that ransomware is the most common type of malware, found in 39% of malware-related data breaches – double that of last year’s DBIR-- and accounts for over 700 incidents. What’s more, Verizon’s analysis show that attacks are now moving into business critical systems, which encrypt file servers or databases, inflicting more damage and commanding bigger ransom requests.
The report also flags a shift in how social attacks, such as financial pretexting and phishing, are used. Attacks such as these, which continue to infiltrate organizations via employees, are now increasingly a departmental issue. Analysis shows that Human Resource (HR) departments across multiple verticals are now being targeted in a bid to extract employee wage and tax data, so criminals can commit tax fraud and divert tax rebates.
“Businesses find it difficult to keep abreast of the threat landscape, and continue to put themselves at risk by not adopting dynamic and proactive security strategies,” said George Fischer, president of Verizon Enterprise Solutions. “This 11th edition of the DBIR gives in-depth information and analysis on what’s really going on in cybercrime, helping organizations to make intelligent decisions on how best to protect themselves.”
Major findings of the 2018 report include:
- Ransomware is the most prevalent variety of malicious software: It was found in 39 percent of malware-related cases examined this year, moving up from fourth place in the 2017 DBIR (and 22ndin 2014). Most importantly, based on Verizon’s dataset it has started to impact business critical systems rather than just desktops. This is leading to bigger ransom demands, making the life of a cybercriminal more profitable with less work.
- The human factor continues to be a key weakness: Employees are still falling victim to social attacks. Financial pretexting and phishing represent 98 percent of social incidents and 93 percent of all breaches investigated – with email continuing to be the main entry point (96 percent of cases). Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education.
- Financial pretexting targets HR: Pretexting incidents have increased over five times since the 2017 DBIR, with 170 incidents analyzed this year (compared to just 61 incidents in the 2017 DBIR). Eighty eight of these incidents specifically targeted HR staff to obtain personal data for the filing of file fraudulent tax returns.
- Phishing attacks cannot be ignored: While on average 78 percent of people did not fail a phishing test last year, 4 percent of people do for any given phishing campaign. A cybercriminal only needs one victim to get access into an organization.
- DDoS attacks are everywhere: DDoS attacks can impact anyone and are often used as camouflage, often being started, stopped and restarted to hide other breaches in progress. They are powerful, but also manageable if the correct DDoS mitigation strategy is in place.
- Most attackers are outsiders: One breach can have multiple attackers and we found the following: 72 percent of attacks were perpetrated by outsiders, 27 percent involved internal actors, 2 percent involved partners and 2 percent feature multiple partners. Organized crime groups still account for 50 percent of the attacks analyzed.
“Ransomware remains a significant threat for companies of all sizes,” says Bryan Sartin, executive director security professional services, Verizon. “It is now the most prevalent form of malware, and its use has increased significantly over recent years. What is interesting to us is that businesses are still not investing in appropriate security strategies to combat ransomware, meaning they end up with no option but to pay the ransom – the cybercriminal is the only winner here! As an industry, we have to help our customers take a more proactive approach to their security. Helping them to understand the threats they face is the first step to putting in place solutions to protect themselves.”
According to the report, 68% of breaches took months or longer to discover, even though 87% of the breaches examined had data compromised within minutes or less of the attack taking place.
While safety cannot be guaranteed, proactive steps can be taken to help keep organizations from being victims. These are:
- Stay vigilant - log files and change management systems can give you early warning of a breach.
- Make people your first line of defense - train staff to spot the warning signs.
- Keep data on a “need to know” basis - only employees that need access to systems to do their jobs should have it.
- Patch promptly - this could guard against many attacks.
- Encrypt sensitive data - make your data next to useless if it is stolen.
- Use two-factor authentication - this can limit the damage that can be done with lost or stolen credentials.
- Don’t forget physical security - not all data theft happens online.
Now in its 11th year, the Verizon 2018 Data Breach Investigations Report leverages collective data from 67 organizations across the world. This year’s report includes analysis on 53,000 incidents and 2,216 breaches from 65 countries.
Nothing destroys consumer trust or sends investors rushing to the exits faster than a data breach. Obviously, shoppers who lack trust in a retailer’s ability to protect their personal information and financial details will frequent other merchants, sales and profits will suffer and so will the stock price of publicly held companies.
Just ask Target. The data breach it suffered in late 2013 dealt the company a staggering blow that resulted in huge fines, costly measures to restore confidence, a change in senior leadership and a host of new strategic initiatives to revive growth. Target lost valuable time in the process, which is something no company can afford when the market is moving fast and consumers have abundant choices.