Verizon’s 2016 Data Breach Investigations Report (DBIR) – which analyses more than 100,000 data security incidents across 82 countries – continues to provide food for thought.
The DBIR found that “63% of confirmed data breaches involved weak, default or stolen passwords”. Moreover, the “capture and/or reuse of credentials is used in numerous incident classification patterns”, from “highly targeted attacks” to “opportunistic malware infections”.
This is hardly surprising: criminals will always take the easiest route. And when user credentials are so easy to come by, why wouldn’t criminals exploit them rather than following a more labour-intensive approach?
As the DBIR found, “social engineering remains worryingly effective” as a means of harvesting user credentials. According to Verizon, “almost a third (30%) of phishing messages were opened—up from 23% in 2014. And 12% of targets went on to open the malicious attachment or click the link—about the same as 2014 (11%).”
These incidents could have been prevented with better user awareness.
“User security awareness continues to be overlooked as organisations fail to understand that they need to make their employees the first line of defence,” commented Verizon Enterprise Solutions’ managing principal of investigative response, Laurance Dine.
We frequently counsel against using weak passwords but it is equally important to remember that you shouldn’t share or reuse your login information either. After all, even the strongest password, if it becomes widely known, offers no barrier to access. If you share your information or reuse the same credentials to sign into numerous accounts, a single data breach will jeopardise the security of all of them. In an enterprise context, one lazy user could cause a massive corporate data breach.
If you’re a manager, it’s essential to train your staff to be aware of information security risks and the threat of phishing, and to have robust information security policies that enforce the use of strong and regularly changed passwords, and proper access management policies that ensure the only people who can access your networks and systems are the ones who should. You should also look into using two-factor authentication where practicable.
The information security standard ISO 27001 sets out the requirements of a best-practice information security management system (ISMS) that addresses people, processes and technology. All organisations – whatever their size, sector or location – can use ISO 27001 to address the information security threats they actually face.
Moreover, the external validation offered by ISO 27001 certification is likely to improve your organisation’s cyber security posture and business efficiency while providing a higher level of confidence to customers and stakeholders, as well as allowing you to meet your legal, contractual and regulatory data protection obligations.
Help towards ISO 27001 certification
IT Governance has been helping organisations implement ISO 27001 for well over a decade, and is your single source for everything to do with ISO 27001 – from the Standard itself to books, documentation toolkits, training courses, consultancy and software to help you implement an information security management system in your organisation.
Starting at just £380, our ISO 27001 Packaged Solutions combine all of these resources in fixed-price packages to suit all needs.