Wednesday, 12th August 2020

Business negligence of social engineering hacks ‘disaster waiting to happen’

Businesses across the globe risk being hit by potentially disastrous cyber-attacks because they aren’t adequately protecting themselves against basic social engineering techniques such as phishing, according to new research.

The second annual Penetration Risk Report from cybersecurity consultancy Coalfire tested 525 businesses for their susceptibility to a range of different hacking techniques and security vulnerabilities.

Employees at 71 percent of these businesses willingly offered up access credentials when targeted with phishing attacks by Coalfire’s penetration testers. In 20% of cases, credentials were shared by more than half of employees.

Human error was a persistent theme across throughout the research with weak passwords and insecure internal procedures both in the top three most common vulnerabilities discovered by the research, alongside out-of-date software.

Andrew Barratt, UK managing director at Coalfire, said: “Our research proves that you’re only as strong as your weakest link when it comes to cybersecurity. A lot of businesses are taking steps to upgrade their security infrastructure, particularly as they migrate more systems into the cloud, but still aren’t addressing some of the fundamentals.

“The continued vulnerability to basic hacking techniques like phishing is a disaster waiting to happen for a lot of businesses. Coupled with the increased risk caused by out-of-date software and security misconfiguration our research uncovered, it’s clear that some routine security tasks are clearly still being neglected.

“It only takes one employee to click on the wrong link or unwittingly share sensitive information to a fraudulent email and a hacker is in. This makes security basics like limiting employee access based on their role as well as educating staff on how to use IT safely and how to spot suspicious activity vitally important.”

Organisations struggle to get cloud configurations right

Overall, businesses exhibited fewer high-risk vulnerabilities than they did in Coalfire’s 2018 report. But as firms move more systems into the cloud, coordinating and configuring multiple infrastructure providers and hybrid environments has become a major challenge.

Mike Weber, vice president Coalfire Labs – the security firm’s technical testing division – said: “We believe that the improved security postures we’re seeing are due to the shift toward cloud solutions. This reduces the need to secure and maintain on-premise IT assets and enables businesses to benefit from their service providers security infrastructure.

“There is a misconception from many that cloud adoption automatically means accepting more risk but this is only true if it’s done poorly. Program managers should evaluate all components and leverage cloud services into their threat models to create effective, layered security solutions when building applications in the cloud.”

The threat landscape changes in the cloud

Coalfire Labs tested cloud service providers and general businesses separately to pinpoint the risks specific to each environment. For non-cloud enterprises the top three vulnerabilities were out-of-date software, insecure protocols and password flaws.

The top three cloud application vulnerabilities were cross-site scripting, injection and security misconfiguration.

Retailers are streaking ahead when it comes to reducing risk

Coalfire’s research looked at five key sectors – tech, retail, healthcare, education and financial services. It found that retail businesses had made the most progress in reducing vulnerability in their IT environments.

Financial services saw the biggest increase in risk from external attacks, compared to 2018. Compliance struggles, privacy management, increasing third-party vendor assessments and ongoing payment card industry challenges combined to produce a 17% external risk increase over the last year.

Big businesses close the gap

Coalfire’s 2018 report found that medium-sized businesses were generally better at protecting themselves against cybersecurity threats than their larger peers. But this has been flipped on its head this year with large enterprises, across all sectors, exhibiting less vulnerability.

The testing found that big businesses were more likely to have taken the time to proactively test solutions before going to market.

New high-performance NSsp firewalls, cloud-native management and on-prem threat analysis upend enter...
Just under 70% also say they are preparing for an inevitable data breach.
The Kaspersky Q2 2020 DDoS attacks report has revealed that the number of DDoS attacks in the second...
Study conducted by analyst firm ESG explores security trends and challenges emerging in modern appli...
Sophos has published a multi-part research series on the realities of ransomware, including an indus...
Yet only four out of 10 security leaders in the UK can answer the question, “How secure, or at risk,...
Half of first-time security analysts working in Security Operations Centres (SOCs) plan to leave aft...
With the partnership between Access42 and Thycotic, a big step is taken within the Netherlands to ma...