5 security awareness lessons to take away from 201809 January 2019
What lessons can we learn from the past year and how can they inform our security awareness strategies going forward…?
For the cybersecurity industry, 2018 was a year of highs and lows. According to Verizon’s Data Breach Investigations Report (DBIR), there were 53,308 security incidents and 2,216 confirmed data breaches.
We found cybersecurity being taken increasingly seriously, with fines for breaches increasing under the newly-launched GDPR. The UK Government also moved with the times, releasing a new Internet of Things code of practice to ensure that connected devices are ‘secure by design’.
Incidents affecting large businesses dominated the headlines, including data breaches at British Airways, MyFitnessPal and Marriott International.
We also saw heightened public awareness of data security and more conversations around privacy and consent, particularly following the Cambridge Analytica scandal and the launch of GDPR.
So, what lessons can we learn from the past twelve months, and how can those lessons inform our security awareness strategies going forward?
1. Accidents happen
From failing to shred confidential documents to mislaying personal data, simple mistakes caused various data breaches in 2018.
Human error was the cause of one in five data breaches
Verizon DBIR, 2018
In February, for example, the Australian government inadvertently sold cabinets containing top secret records to a second-hand furniture store.
In March, it was reported that the personal data of more than 21,400 marines was leaked after an unencrypted email was sent to the wrong distribution list.
2. People continue to fall for phishing campaigns
According to the DBIR, social engineering attacks were the cause of 1,450 security incidents and 381 confirmed breaches in 2018.
While the general public has become more knowledgeable about phishing scams, an average of 4% of phishing campaign targets will still click on the malicious link.
As well as large-scale, generic phishing campaigns, cybercriminals are increasingly using more targeted methods. These sophisticated attacks target fewer people, but the extra effort put in is designed to elicit a higher click-rate and higher return.
Of the social engineering attacks investigated in the DBIR, more than 11% of incidents were attributed to ‘pretexting’, where cybercriminals create a false narrative to perpetrate an attack. This includes methods such as spear-phishing and whaling.
These targeted attacks are increasing, with the DBIR reporting a rise in pretexting from 61 incidents in 2017 to 170 in 2018.
One high profile spear-phishing attack targeted Italian football club Lazio, who were duped into paying €2 million to cybercriminals who impersonated a Dutch club selling player Stefan de Vrij.
3. Passwords are still a weak link
Awareness about the importance of strong passwords is high, but people are reluctant to change their behaviour.
In May, LogMeIn’s global survey revealed that while 91% of respondents acknowledged that using the same password across different accounts is a security risk, 59% did precisely that.
Even companies using LastPass password manager have an average security score of just 52 out of 100
LastPass Global Password Security Report, 2018
Weak passwords remain an issue at all levels. For example, Western Australia’s Auditor General reported in August that a quarter of government accounts used ‘weak or commonly used passwords’, including ‘Password123’.
4. Response times are slow
The DBIR reports that while cybercriminals can compromise a system within a matter of minutes, it takes much longer than this, often weeks or months, to discover the breach.
In August, for example, Yale University revealed a data breach of 119,000 people’s details, ten years after it took place and one month after it was discovered.
Marriott International also hit the headlines in November, when the personal details of 500 million guests were stolen after an unknown third party accessed the guest reservation database for four years.
5. We are all targets
We saw some high-profile breaches in 2018. In February, a massive data breach compromised the personal details of around 150 million users of diet and exercise tracking app MyFitnessPal.
In September, thousands of customer card details were stolen from British Airways customers after a ‘sophisticated’ attack, believed to have been caused by a malicious ‘skimming script’.
While the big corporations dominated headlines, the truth is that we are all at risk, and we can find plenty of instances from 2018 to support this.
For example, in July it was revealed that iPhone users had been targeted with a new type of scam specifically aimed at those checking their emails on their mobile phones. Users were sent emails warning of unauthorised access to their accounts, before being directed to a fake Apple Support site. Once on the site, a call dialogue box would open on their phone, pre-populated with the scammers’ phone number.
In the same month, cybercriminals emailed people their own passwords in order to convince victims that they had been secretly filmed watching explicit content. Security experts believe that the passwords may have been stolen in previous breaches.
What does this mean for 2019?
This year has shown that accidents will happen, so we should emphasise the importance of establishing secure routines to help reduce inadvertent incidents.
When breaches do occur, we need to react quickly to limit the damage caused.
In terms of malicious breaches, while some cybercriminals are using more sophisticated methods to steal our data, most are using the same tried-and-tested techniques, and victims are still making the same mistakes.
Cybercriminals prey upon weaknesses in our cybersecurity practices, so we should move into 2019 with a renewed focus on security awareness.
From the importance of strong, unique passwords to continued awareness of phishing, communication and training is our best defence against cyber-attacks.