I’ve waited with bated breath for the 2017 Verizon Data Breach Investigations Report and it’s finally out. It’s full of juicy, nightmare-inducing cybercrime data again this year. The most recent report analyzes 1,935 breaches and 42,068 incidents across 84 countries, and, according to the experts, the data set confirmed that this was the “year of cyber espionage.”
According to John Loveland, a bigwig cyber security guy at Verizon:
We [Verizon] found that 21% of the breaches in this year’s data set were related to espionage. And cyber espionage was particularly a threat in manufacturing, where it accounted for 86% of the breaches, and the public sector — at 41%.
Beyond cyber espionage, there’s more bad news for us in-house accountants and auditors: The financial services industry experienced about a quarter of the confirmed breaches. ATM skimming, Denial of Service (DoS) attacks, and botnets are the three big, overbearing issues in the industry. After that, privilege misuse is the next big contender. Did we never learn that power corrupts? Geez. Lock it down! Stop giving people too much power and spread it around a little.
In sum, here are the recommendations for financial services firms:
Taunt them a second time—Use two-factor or multi-factor authentication to help secure all web applications.
Make a new plan, Stan—In this industry you are likely to be the target of DoS attack. Have a DoS protection and mitigations service in place and make it your job to know the details of the agreement with the provider.
It’s not that I don’t trust you, but…—Keep an eye on employees and periodically monitor their activities. Do not give them permissions they do not need to do their job, and make sure you disable accounts immediately upon termination or voluntary departure.
Solid advice. Those of us CPAs who preach general IT controls all day can appreciate the experts at Verizon vindicating our efforts. (By the way, I do love their flair for spicing up the information. After my own heart. If you’re bored, the whole report is a fun read.)
Other advice provided in the report is to retire your old, worn out password — yes, the password you use for everything under the sun — and start fresh. There’s a big market for breached data including passwords, and cyber criminals are using stolen and weak passwords as an easy way in. We still love to hate those dreaded password policies, but they only work if you mix up your passwords once and awhile and don’t use the same one for everything.
Once you have those passwords reset to a shiny, new one, don’t be seduced by a phishing attempt. The report cites that 1 in 14 users will fall for phishing and the consequences could be more damaging than in the past since phishing and malware often double team. It’d be a big headache, obviously. Be vigilant and wary of random password prompt screens. There’s a super nasty Google Doc phishing scheme floating around right now that’s very convincing. If the phish has snagged you already:
Check your Google account’s app permissions. There should not be an app called “Google Docs” there — actual Google Docs has access to your account by default. If you see it listed there, remove it by tapping the label and hitting “Remove”
Oh, and change all your passwords, pronto. Google reports they have the phishing issue handled but I would be wary still.
Since last year’s stats are also miserable, I can guess what next year will bring. Pay attention, people! We clearly haven’t learned our lessons yet.