Phishing emails are still one of the most effective tactics for breaching companies' cyber defences

Successful hacks and cyber attacks commonly result of human error

A pair of reports released this week reveal that the vast majority of hacking attacks that threaten businesses are down to human error.

Employees clicking on malicious links in emails, companies failing to apply available patches to known software flaws and technicians who do not configure systems properly were among the major causes of breaches identified in separate reports by Verizon Communications and Symantec.

The report from Verizon found that more than two-thirds of the 290 electronic espionage cases it learned about in 2014 involved phishing attacks - emails with malicious links or attachments.

Their data - which comes from the company’s own business investigations, as well as data from 70 other contributors including law enforcement - showed that so many people fall for these phishing attacks that sending emails to just 10 employees will get hackers inside a corporation’s system 90 per cent of the time.

"There's an overarching pattern," said Verizon scientist Bob Rudis. Attackers use phishing to install malware and steal credentials from employees, then they use those credentials to roam through networks and access programs and files, he said.

The report also found that while major new vulnerabilities such as last year’s Heartbleed bug are being exploited by hackers within hours of their announcement, more attacks last year were down to patchable vulnerabilities dating from 2007, 2010, 2011, 2012 and 2013.

Symantec's report draws on data from 57 million sensors in 157 countries, the territories where it was found that phishing attacks are proving so successful that even sophisticated state-sponsored spies are relying on the method because it is both effective and draws less scrutiny than more high-tech approaches.

Once inside a system, spies then turn to more advanced methods, Symantec said, writing customised software to evade detection by whatever security programs the target has installed.

"Once I'm in, I can do what I need to," said Robert Shaker, an incident response manager at Symantec.

The report also identified a 113 per cent increase in ransomware attacks in 2014, in which hackers encrypt a computer's files and promise to release them only if the user pays a ransom. Some 80 per cent of the time, the files are not decrypted even if the victim pays.

The report also identified a more worrying trend, whereby hackers do not even demand a ransom. According to Shaker, potential motivations could be securing information for resale to other spies and potential saboteurs or storing up bargaining chips in case the attacker wants to make demands in the future.

Another section of the Verizon report produced the first analysis of the actual costs of breaches derived from insurance claims, rather than survey data.

Verizon said the best indicator of the cost of an incident is the number of records compromised and that the cost rises logarithmically, flattening as the size of the breach rises. According to the new model, the loss of 100,000 records should cost roughly $475,000 (£325,000) on average, while 100 million lost records should cost about $8.85m.

Verizon's researchers said that the most effective way to tackle these threats is information-sharing, but this would have to be essentially in real time, from machine to machine, and across multiple sectors - a daunting proposition.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them