IMGCAP(1)] Verizon released its ninth annual Data Breach Investigations Report last month, which reports on the major security breaches and methods used by hackers to compromise businesses and governmental organizations. When it comes to hacking, organized crime syndicates lead the way with phishing email schemes that are culpable in 89 percent of security breaches, followed by “state-affiliated actors,” which accounted for another 9 percent of attacks.
Phishing has transitioned from the “good ol’ days” when clicking on the link would take you to an obviously fake bank site to capture your login credentials. The 2016 Verizon study found that 70 to 90 percent of malware hitting an organization is unique to that organization, meaning that the hackers slightly modified the malware signature hashtags so it would look like a new virus—even though the malware impact was the same (loading ransomware, capturing login credentials, etc.). This means that today’s stealthier version is usually customized to each company and tricks more victims into downloading a viable looking invoice or RFP request.
The scary fact is that even with all the media awareness, the 2016 report verified that the percentage of victims responding to phishing emails is on the rise. The report found that this past year 30 percent of phishing messages were opened compared to 23 percent in 2014 and between 10 percent and 20 percent in the previous two years. This year’s study also found that in 2015, the number of personnel opening a phishing email and actually clicking on the link and/or downloading the malware attachment increased to 12 percent (compared to the 11 percent that were victimized in 2014).
Another scary trend is that the time it takes for people to actually receive the email and become compromised is shortening. Of those individuals that received a phishing email in 2015, the median time for them to open the email was 100 seconds, and to click on the attachment took 3 minutes 45 seconds. With the infections happening faster, both the antivirus vendors and firm IT departments are having a harder time responding in a timely manner—which leads to firms needing to expand beyond traditional approaches to deal with these attacks.
The Verizon report suggests companies head the problem off at the pass instead of relying solely on antivirus software. Firms should consider filtering email before messages are received by the end user, which can be done with dedicated appliances and thirdparty remailers that are constantly being updated. Next, firms should talk with their IT consultants about implementing improved detection and response capabilities (such as monitoring outbound traffic for unusual connections and large file transfers). And finally, the area where firm administrators can lead the charge: making sure your people receive security education on a continual basis as to what they should be looking out for and being suspicious of. The “glass half-full” view of the finding is that while 30 percent opened the emails, 70 percent did not, and that is the group that you want your personnel to be included with.
The Verizon report also found that 63 percent of the confirmed data breaches were facilitated by compromised credentials—meaning they were caused by stolen/weak passwords — yet today, some end users are still not changing default passwords. Firms should mandate all personnel change their passwords at least four times per year with more specific rules consisting of at least eight characters with an uppercase, lowercase, number and special character. Microsoft Exchange can be configured to force this, lock out an account after ten failed attempts and disallow the use of the last ten passwords. Firms can also consider using a password manager (e.g., LastPass) or requiring dual factor authentication (e.g., Duo, RSA). Dual factor requires a confirmation on the individual’s smartphone or having a device that provides a security code for the user to key into the system to gain access.
While changing passwords and attending yet another security briefing may seem painful, these two steps significantly reduce the odds of your firm being another unfortunate headline. A full copy of Verizon’s 2016 Data Breach Investigations Report can be downloaded
Roman H. Kepczyk, CPA.CITP, CGMA, LSS BB, is the director of consulting for Xcentric LLC and works exclusively with accounting firms to implement best practices and technologies incorporating Lean Six Sigma methodologies to optimize firm production workflows. He is also the author of “Quantum of Paperless: A Partner’s Guide to Accounting Firm Optimization.” This article originally appeared in the e-newsletter of the CPA Firm Management Association.