- Email: [email protected]
Attackers are targeting people
NEWS ...Continued from front page all) organisations have improved their detection and management of breaches. “Reporting data breaches wasn’t mandatory for most organisations before the GDPR came into force, so while the data is revealing, it only gives a snapshot into the true picture of breaches suffered by organisations in the UK,” said Andrew Beckett, managing director and EMEA leader for Kroll’s Cyber Risk Practice. “The recent rise in the number of reports is probably due to organisations gearing up for the GDPR as much as an increase in incidents. Now that the regulation is in force, we would expect to see a significant surge in the number of incidents reported as the GDPR imposes a duty on all organisations to report certain types of personal data breach.” As to the source of breaches, in the past year, where the cause of the breach was properly identified, 2,124 reports could be attributed to human error compared to just 292 that were malicious attacks. The most common types of incidents due to human error include data being emailed to the incorrect recipient (447 incidents), loss or theft of paperwork (438) and data left in an insecure location (164). The loss or theft of unencrypted devices (133) is another common reason for data breach reports. The malicious incidents included unauthorised access (102), malware (53), phishing attacks (51) and ransomware (33). The health sector was the hardest hit, accounting for 1,214 of the incidents in the past year – a 41% increase over the course of two years. This is followed by general business (362), education and childcare (354) and local government (328). However, Kroll cautions that the health sector is top of the list partly due to mandatory reporting requirements that applied only to certain sectors before GDPR came into force. Now that all sectors come under the scrutiny of GDPR we’re likely to see a much broader spread of business sectors reporting incidents. According to Kroll’s analysis, health or clinical data is the most common type of personal data compromised, specified in 39% of reports over a three-year period. Other kinds of personal data compromised include financial details (10%),
September 2018
social care data (7%), employment details (5%), criminal records or endorsements (4%) and education records (3%). “Contrary to the popular belief that cyber-security and data breaches are all due to malicious attackers trying to break into an organisation and steal data, inadvertent human error is likely to be the biggest reason why a company loses data,” commented Tim Sadler, CEO at Tessian. “Companies routinely underestimate the risks from processes that seem safe (emailing) but can be catastrophic when humans make mistakes. Misaddressed emails are consistently one of the main forms of data security incident reported to the ICO, highlighting the importance of cyber-security and data protection policy to not only focus on preventing the headline-grabbing hacks but also save your employees from themselves.” Meanwhile, complaints made to the ICO by third parties – such as customers – have risen even more. Another FOI request, this time by EMW, revealed that there were 6,281 complaints between May 25 and July 3 this year, a 160% increase on the same period in 2017. One possible explanation is the increased awareness of data privacy created by GDPR. That said, there has been yet another report, which was published three months after GDPR came into effect, saying that more than a quarter (28%) of organisations feel they are probably not compliant. The analysis by Imperva is based on little more than a straw poll at a security event: however, when asked if they believed they would pass their first GDPR audit, fewer than half of the respondents were very confident they would, just over a third were somewhat confident and the rest were not confident.
Attackers are targeting people
C
yber-attacks are becoming more targeted, with people rather than organisations being in the cross-hairs of hackers, according to the latest quarterly report from Proofpoint.
The company’s analysis of 600 million emails, 7 million mobile apps and hundreds of thousands of social-media
accounts has concluded that malware and phishing attacks are increasingly focused on individuals. Nearly two-thirds (61%) of attacks were aimed specifically at what Proofpoint calls ‘contributors’ – individuals in the work force with specific roles but not in senior positions – and lower management staff. However, executives and upper-level managers – a smaller segment of the workforce – were on the receiving end of a disproportionately large share of attacks (29%). People working in production or operations parts of businesses were the most frequently targeted, followed by management and then R&D/engineering. Perhaps surprisingly – given the rise of business email compromise (BEC) attacks – staff in accounting and finance departments came fourth on the list. The number of email-based fraud attacks, such as BEC, rose 25% compared to the previous quarter and 85% compared to the same quarter in the previous year. And the volume of malicious email increased 36% against the previous quarter. Link-based phishing emails rose by 30% after a long period of decline, mainly due to the attackers finding ways to defeat automated remediation tools. Customer support fraud rose by 39% compared to the previous quarter and by 400% compared to the same quarter in the previous year, suggesting that this might be an area to watch. And there has even been something of a resurgence in ransomware, accounting for 11% of all malicious emails. Domain spoofing, in which attackers register domain names that are very similar to those of legitimate organisations, is also rampant, with US firms being the most frequently targeted. Around a quarter (23%) of domains that impersonate US brands have active MX records, meaning that they are currently being used to send and receive mail. The report is available here: http://bit.ly/2NclJ8L. Meanwhile, Mimecast has reported a large jump in BEC emails. An analysis in its most recent ‘Email Security Risk Assessment’ (ESRA) found that its systems blocked 41,000 such attempts in the past quarter – an 80% increase compared to the previous three months.
Computer Fraud & Security
3
September 2018
social care data (7%), employment details (5%), criminal records or endorsements (4%) and education records (3%). “Contrary to the popular belief that cyber-security and data breaches are all due to malicious attackers trying to break into an organisation and steal data, inadvertent human error is likely to be the biggest reason why a company loses data,” commented Tim Sadler, CEO at Tessian. “Companies routinely underestimate the risks from processes that seem safe (emailing) but can be catastrophic when humans make mistakes. Misaddressed emails are consistently one of the main forms of data security incident reported to the ICO, highlighting the importance of cyber-security and data protection policy to not only focus on preventing the headline-grabbing hacks but also save your employees from themselves.” Meanwhile, complaints made to the ICO by third parties – such as customers – have risen even more. Another FOI request, this time by EMW, revealed that there were 6,281 complaints between May 25 and July 3 this year, a 160% increase on the same period in 2017. One possible explanation is the increased awareness of data privacy created by GDPR. That said, there has been yet another report, which was published three months after GDPR came into effect, saying that more than a quarter (28%) of organisations feel they are probably not compliant. The analysis by Imperva is based on little more than a straw poll at a security event: however, when asked if they believed they would pass their first GDPR audit, fewer than half of the respondents were very confident they would, just over a third were somewhat confident and the rest were not confident.
Attackers are targeting people
C
yber-attacks are becoming more targeted, with people rather than organisations being in the cross-hairs of hackers, according to the latest quarterly report from Proofpoint.
The company’s analysis of 600 million emails, 7 million mobile apps and hundreds of thousands of social-media
accounts has concluded that malware and phishing attacks are increasingly focused on individuals. Nearly two-thirds (61%) of attacks were aimed specifically at what Proofpoint calls ‘contributors’ – individuals in the work force with specific roles but not in senior positions – and lower management staff. However, executives and upper-level managers – a smaller segment of the workforce – were on the receiving end of a disproportionately large share of attacks (29%). People working in production or operations parts of businesses were the most frequently targeted, followed by management and then R&D/engineering. Perhaps surprisingly – given the rise of business email compromise (BEC) attacks – staff in accounting and finance departments came fourth on the list. The number of email-based fraud attacks, such as BEC, rose 25% compared to the previous quarter and 85% compared to the same quarter in the previous year. And the volume of malicious email increased 36% against the previous quarter. Link-based phishing emails rose by 30% after a long period of decline, mainly due to the attackers finding ways to defeat automated remediation tools. Customer support fraud rose by 39% compared to the previous quarter and by 400% compared to the same quarter in the previous year, suggesting that this might be an area to watch. And there has even been something of a resurgence in ransomware, accounting for 11% of all malicious emails. Domain spoofing, in which attackers register domain names that are very similar to those of legitimate organisations, is also rampant, with US firms being the most frequently targeted. Around a quarter (23%) of domains that impersonate US brands have active MX records, meaning that they are currently being used to send and receive mail. The report is available here: http://bit.ly/2NclJ8L. Meanwhile, Mimecast has reported a large jump in BEC emails. An analysis in its most recent ‘Email Security Risk Assessment’ (ESRA) found that its systems blocked 41,000 such attempts in the past quarter – an 80% increase compared to the previous three months.
Computer Fraud & Security
3