October Insights - The Halloween Edition
October Insights - The Halloween Edition 💀
With Cyber Security Awareness Month concluding on none other than Halloween, our latest insights this month come in the form of some scary cyber security statistics... With a side of expert advice of course.
👻 We begin with scary stat #1
A recent survey carried out by SANs, found that of 300 ethical hackers questioned, nearly 60% said on average they need five hours or less to break into a corporate environment. This includes reconnaissance, exploitation, privilege escalation and data exfiltration, with an end-to-end attack taking less than 24 hours.
Scary stuff.
What does our ethical hacker, James Hickie , have to say about this?
Taking an offensive stance when it comes to battling malicious actors is crucial. Offensive security tests are vital to an organisation’s security because they help IT teams learn how to handle many of the latest attack vectors. Penetration testing is just one type of offensive test that can be done and serves as a way to examine whether an organisation’s security controls are genuinely effective. It's the first thing I’d suggest for an organisation that wants to understand its current weaknesses and future improvement actions.
😈 Scary stat #2 incoming
According to the 2022 Verizon Data Breach Report DBIR’s authors comment that changing human behavior is required to help reduce the role of the human element, especially in driving breaches. However, they also acknowledge that this is “quite an undertaking” for many organisations.
Adopting a human-centric, zero-trust security strategy, can help an organisation manage their security risks more effectively, by specifically focusing on threats that target and exploit the people that matter most, their employees. In doing this they can turn their number one weakness, into their first line of defence.
What does our Infosec Expert, Lex Soboslay , have to say?
“Taking a human-centric approach will help business leaders understand how their people are targeted by hackers. This could be anything from, how they may be working in high-risk ways to how they access valuable company data.
To mitigate these risks appropriately, you must first identify the most vulnerable people in your organization, understand the threats they face, and find out how they are being targeted by attackers. Once you’ve done this, you can implement appropriate controls that will protect them, your business and it’s reputation.”
From understanding the risks associated with personal devices to the importance of document permissions and file sharing, tailored employee training is a must.
😨 A shocking stat for #3
The 2022 Cyber Security Breaches Survey identified that almost 4/10 businesses in the UK have experienced an attack in the last year… Scary odds for any business.
In terms of attack type, the NCSC state that ‘of the 39% of UK businesses who identified an attack, the most common threat vector was phishing attempts (83%). One in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. Despite its low prevalence, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms.’
What does our Head of Cyber Security, Ryan Pullen , have to say about this?
“Given the number of threats in the wild, it’s critical that organisations deploy 360-degree solutions in order to prevent successful attacks. Organisations with a sophisticated cyber security strategy may opt for an “assume breach” approach where its primarily targeting anomalous behaviors already with access to your systems and heuristic analysis.
Indeed, there are some obvious and basic things that you can do, such as making sure you’re not using the same passwords for different accounts and enabling multi-factor authentication where possible. Yet for true continuous protection, organisations should be looking to implement a security strategy driven by a combination of offensive, defensive and advisory techniques to cover multiple angles.”
Recommended by LinkedIn
💀 We've got some repeat offenders for stat #4
In the recent IBM Cost of a Data Breach Report 2022, of the 550 organisation’s studied, eighty-three percent of organisations studied have experienced more than one data breach, only 17% said this was their first data breach.
So why exactly are data breaches recurrent?
Sam . B , our OSINT expert at Stripe OLT says:
“Once you’ve had one data breach and it’s been made public amongst malicious actors, you’re asking for trouble. Leaked credentials are up for sale on the dark web, and once these have been used successfully, you’re going to have a target on your head.
Realistically, unless you’ve built a strong cyber security culture in your business, there are always going to be risky employees. You know – the ones that use the same password for their personal accounts and work accounts… But, it’s not all doom and gloom - you can find out which credentials are available online...”
Want to know how? We provide Breached Credential Simulation services and Digital Footprint Reviews for those interested - get in touch for more info.
⚡️ You're asking for trouble with stat #5
According to IBM, in their 2022 study it took an average of 207 days to identify a breach and 70 days to contain it; an unsurprising statistic considering many organisation’s have limited security capabilities. In terms of the cost (USD), they identified:
Although the costs are scary, the important question is, why does it take so long to detect?
Our Head of Security Architecture, Austen D says:
“If you don’t have a robust security solution in place, this timeline has a lot to do with how long malicious actors act undetected as they move laterally within your environment, gain access to user credentials and data, and then exfiltrate it. It’s imperative every organisation takes security-by-design seriously, to ensure a hacker’s capabilities are limited, if they do indeed access your network and infrastructure...”
Want to know even more? You can read the full piece here.
⚡️ Finishing on a not-so-scary note - we're looking for more experts to join our team!
From client facing to technical, entry level to established... We've got a range of roles available on our website, our most recent opportunities include:
Think you, or someone you know could be a good fit? Send your cv to recruitment@stripeolt.com.
🚀 We're growing fast and always on the look our for new talent!
Since you've made it this far, you should probably subscribe and join us on our journey...