Most Organisations’ Biggest Security Concern Is Users

• Content
• News
• Most Organisations’ Biggest Security Concern Is Users

25 April 2019 | Updated 30 April 2019

What Keeps You Up at Night – The 2019 Report looks at over 350 global organisations' security concerns and reveals people are the biggest perceived weakness.

Cybercrime continues to evolve and become more sophisticated. AI and machine learning are leveraged by many criminal organisations to help them better understand how to improve their attacks and they are now targeting specific industry verticals, organisations and even individuals. Increases in the frequency of ransomware, phishing and crypto jacking attacks were experienced by businesses of nearly every size, vertical and locale.

When it came to attack vectors, data breaches were the primary concern, with credential compromise coming in as a close second. These two issues go hand-in-hand, as misuse of credentials remains the number one attack tactic in data breaches, according to Verizon’s 2018 Data Breach Investigations Report.

Phishing and ransomware ranked next, demonstrating that organisations are still not completely prepared to defend themselves against these relatively 'old' attack vectors.

Other key findings from the report include:

• 92% of organisations rank users as their primary security concern. And at the same time, security awareness training along with phishing testing topped the list of security initiatives that organisations need to implement.

• Organisations today have a large number of attack vectors to prevent, monitor for, detect, alert and remediate; in terms of attacks, 95 per cent of organisations are most concerned with data breaches.

• Ensuring security is in place to meet GDPR requirements is still a challenge for 64 per cent of organisations, despite the regulation details being out for quite some time.

• Attackers’ utilisation of compromised credentials is such a common tactic, 93 per cent of organisations are aware of the problem - but still have lots of work to do to stop it.

• When it comes to resources, 75 per cent of organisations do not have an adequate budget.

The year of the cyber attack

“2018 was a prolific year for successful cyberattacks and many of them were caused by human error,” said Stu Sjouwerman, CEO of KnowBe4, the company that produces the What Keeps You Up at Night report. “The largest concern, as demonstrated again in this report, is employees making errors. Organisations must start with establishing a security culture. in order to combat the escalation of social engineering, they have to ensure users are trained and tested.”

Executives out, employees in

Phishing and social engineering scammers are shifting tactics, focusing efforts on low-level employees using a variety of methods as a means to cast a wider net within a targeted organisation, according to KnowBe4's Stu Sjouwerman, who says: "There are only so many executives in an organisation, right? So, it makes sense that cybercriminals want to reach the most people with the least amount of work.

According to Proofpoint’s latest Protecting People Report, that’s exactly what they’re doing. The bad guys are using some very specific tactics and targets to achieve their goals:

• 30% of credential phishing attacks targeting generic company email addresses, such as sales@.

• Individual contributors and lower level management ranked higher than executives as targets.

• 80% of organisations were involved in attacks attempting to send email to 6 or more recipients.

• 40% of organisations were intended recipients of 50 or more phishing email attacks.

"So," says Sjouwerman, "lots of emails being sent to lots of low level individuals - that’s a recipe for disaster. Without proper training, users will succumb to attacks that compromise their endpoint, their email and their credentials, giving attackers the tools needed to move laterally within the organisation, infect others with malware via corporate email and island hop to attack other companies."

Picture: KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform.

Article written by Brian Shillibeer | Published 25 April 2019

Share

Related Articles