Unbeknownst to them, employees and individual users often open the door to criminals by using easily-guessable passwords.
Drawing on data from 691 breach investigations from across 24 countries, the 2014 Trustwave Global Security Report found that 96 per cent of applications that Trustwave scanned in 2013 contained one or more serious security vulnerabilities while weak passwords continue to plague businesses.
The report also found that 71 per cent of compromises were not detected by a company, while the median number of days it took organisations to self-detect and contain a breach was one day, whereas it took organisations 14 days to contain the breach when it was detected by a third party.
Also, the typical number of days from initial intrusion to detection was 87, and the median number of days from detection to containment was seven. Upon discovery of a breach, 67 percent of victims were able to contain it within 10 days.
Robert J. McCullen, chairman and chief executive officer at Trustwave. “As we have seen in our investigations, breaches are going to happen. However, the more information businesses can arm themselves with regarding who are their potential attackers, what those criminals are after and how their team will identify, react and remediate a breach if it does occur, is key to protecting their data, users and overall business.”
John Yeo, EMEA director of SpiderLabs, said that this shows that companies need to build up a good evidence-based picture of what took place that is “right across all aspects of information security”.
He said: “We see material failures time and time again. Logging or monitoring is not done right or weak passwords are prevalent, and these are key security failings in what we investigate. Especially in e-commerce, it is about logging and traversing experience and by time we go in, there is no data available to piece together a picture.”
Yeo claimed that in the report, there is evidence that “some things we are still getting wrong” and it was “not a simple problem”.
He said: “Some of the things we thought about in the past on activity on awareness training have not been that effective, and there are more sets of things to protect against and we are not getting that much better about defending against one thing.”
Adrian Davis, managing director EMEA at (ISC)², said that the report showed that organisations need to get the basics right, and rehearse and test how to work after an attack or breach. “But you need a workable plan for if you get breached, and need to know what to do,” he said. “It is not just about plans, it is about putting your money where your mouth is.”