Here’s a pop quiz: if you click on a phishing email, how long does it take the average hacker to invade your system and begin wreaking havoc?
An hour? Half a day? A week?
Try 16 minutes. And here’s the scary part: in most cases, even the savviest user isn’t aware they’ve taken the bait until 28 minutes after the click. By then, of course, it’s too late.
Even scarier: four percent of people will open any email, even ones that are blatantly suspicious. And once a person has fallen for a phishing scam, they are three times more likely to fall for another one.
Those are some of the findings from the Verizon 2018 Data Breach Investigations Report.
Protect your practice by attending our free CLE webinar on August 14 on “Top 10 Things To Prevent a Data Breach?” It’s just one benefit of membership in Alta Pro Lawyers RPG. Learn how to join here.
90 Percent of Cyber Attacks Happen Through Email
Phishing email scams account for nine out of 10 cyber attacks, according to the report.
And that although most people – 78 percent, in fact – know better than to click on a suspicious email, 22 percent are at risk of clicking, and four percent will definitely take the bait.
Consider this horror story from a bank in Virginia that was hit by not one but two phishing attacks in less than a year. It started when an employee opened a toxic email. Within minutes, the company’s computers were infected with malware. The criminals were able to access STAR debit card accounts and steal $569,000 before the threat was discovered.
But the nightmare wasn’t over. Eight months later, the hackers again broke into the STAR network, this time through the bank’s Navigator portal, according to Krebs on Security. Cash was stolen from hundreds of different ATMs to the tune of nearly $2 million.
And incredibly, this happened after the bank hired a cybersecurity forensics firm to come in and beef up its defenses.
The moral of the story: disaster is only one careless click away.
Cyber Criminals Stick to What Works
The Data Breach Investigations Report analyzed more than 53,000 cyber incidents worldwide, including 2,216 confirmed data breaches.
“This year we saw yet again that cybercriminals are still finding success with the same tried and tested techniques,” according to the report. “And their victims are still making the same mistakes.”
Many of those mistakes were avoidable. Almost one in five breaches (17 percent) resulted from human error. Employees failed to shred confidential information. An email was sent to the wrong person. A web server was misconfigured. Though these actions weren’t intentional, they were still costly.
Cyber Attacks Stem from Greed
“Most cybercriminals are motivated by cold, hard cash,” the report says. “If there’s some way they can make money out of you, they will. That could mean stealing payment card data, personally identifiable information or your intellectual property.”
Here are some other findings:
- Ransomware is rampant. It’s easy to deploy and effective. “You don’t have to be a master criminal,” according to the report. “Off-the-shelf toolkits allow any amateur to create and deploy ransomware in a matter of minutes. There’s little risk or cost involved and there’s no need to monetize stolen data.”
- Cybercriminals are thinking big. Increasingly, they bypass single user devices and go after larger targets. They can wreak more havoc and make more money by attacking a file server or database.
- And they act fast. Eighty-seven percent of breaches took only minutes or less. Only three percent were quickly discovered. Two-thirds weren’t detected for months.
- The perpetrator are pros. Almost three-quarters (73 percent) of cyberattacks were perpetrated by outsiders. Members of organized criminal groups were behind half of all breaches, with nation-state or state-affiliated actors involved in 12 percent.
- Education is key. Human resource departments are focusing on educating all employees on cyber risks, especially financial pretexting and phishing. Outside consultants are brought in for specialized training. Cyber safety policies – two-factor authentication, device management, password protection, data security, keeping anti-virus software up to date – are critical.
- Watch for patterns. Almost all security incidents (94 percent) and confirmed breaches (90 percent) fall into one of several categories: web applications, point of sale, privilege misuse, and lost assets.
Don’t get caught in a phishing expedition. Alta Pro Insurance offers comprehensive cyber-liability insurance protection. Find out more here.