/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow Us/pcq/media/post_banners/wp-content/uploads/2015/03/Malware-threats.jpg)
2014 was a newsworthy year in terms of cybercrime. Major enterprises like Target, Home Depot and Sony Entertainment experienced breaches that required the companies to pay hundreds of millions of US dollars to cover costs of the attacks. JP Morgan Chase and other financial institutions were affected even more severely.
While these enterprises shared the similar misfortune of experiencing incidents, the incidents themselves were not all the same. In the cases of Home Depot and Target, intrusion initially occurred via hacked third-party vendors and financial gain was the motivation. Sony was the victim of extremely sophisticated malware that was used to steal confidential information.
The threat actors that are most frequently penetrating enterprise security include cybercriminals, hackers and nonmalicious insiders.
The attack types that most frequently successfully exploited respondents’ enterprises in 2014 are (in order) phishing, malware, hacking attempts and social engineering.
While technical and administrative controls can aid in preventing or at least delaying many of these attack types, often the human is the biggest weakness. Training people on how to detect and react to potential security attacks is widely believed to decrease the effectiveness of a particular attack vector. Correspondingly, a significant majority (87 percent) of the survey respondents reported having an awareness program in place and, of these, 72 percent believed it to be effective.
However, the data tells a different story. The survey results indicate that the enterprises that are not leveraging awareness training are actually faring better than the ones that are. Enterprises that have an awareness program in place actually have a higher rate of human-dependent incidents such as social engineering, phishing and loss of mobile devices. Additionally, threat actors are more frequently penetrating enterprise security among enterprises that have an awareness program in effect. Especially troublesome is the percentage of nonmalicious insiders that are impacting enterprise security: It is 12 percent higher in enterprises that have an awareness program in place than in those that do not.
It is no surprise that the cyberthreat is real. Enterprises are finding incidents of cyber attack to have increased in both frequency and impact. More than three-quarters of the survey respondents (77 percent) reported an increase in attacks in 2014 over 2013. Even more—82 percent—predicted that it is ‘likely’ or ‘very likely’ they will be victimized in 2015.
