Get used to bad security: Password problems stay strong in annual breach stats

Verizon's 2017 data breach investigations report reads like a psychology playbook: If you keep pounding on the same information and calls for action, some of it has to sink in at some point. But that point hasn't arrived yet.

Thus, it was not surprising that weak passwords, a longtime source of security woes, continued to plague networks at all types of organizations last year. The reported 81% of hacking-related breaches occurring through the use of stolen or weak passwords was consistent with past years, as was a 51% number of hacks including or using malware.

In its introduction, Verizon acknowledges that the report can't really answer the question of whether companies are getting better at protecting their networks, but said readers of the study could leverage the data to improve an organization's awareness of security problems and understand where threats originate.

computer security
Data Security Encryption Photo Concept with Metallic Padlock on Laptop Computer Keyboard.
Tomasz Zajda - Fotolia

Data for this year's report came from reported security incidents monitored by Verizon and 65 other participating organizations during 2016. More than 42,000 "security incidents" and nearly 2,000 breaches were cited in the study, with Verizon saying the sampling closely reflects the reality of the risk in data security.

Outsiders perpetrated 75% of breaches, while internal personnel were culpable for 25%, the report said. In another growing concern, 51% involved organized crime groups.

In categorizing the victims of breaches, 24% affected financial organizations, while 15% affected retail and accommodation industries. Health care industry breaches also came in at 15%.

On the retail side, from 214 web-application incidents reported from stores with an online presence, 93 incidents were confirmed to have data disclosure. Of those, 209 occurred through system hacking after perpetrators gained access through weak passwords or credentials stolen from employees through phishing attacks. In addition, 19 included placement of malware, and another 15 included social media vulnerabilities.

Of 67 incidents reported at physical brick-and-mortar stores, 39 occurred through payment card skimmers, 11 from miscellaneous errors and eight from point of sale malware.

"The continued exploitation of weak passwords is incredibly frustrating," said Julie Conroy, research director and fraud expert with Boston-based Aite Group. "Unfortunately, I think passwords will be with us for a while, particularly when it comes to merchant systems."

The security industry is seeing some strides made to eliminate passwords in the mobile environment, but "we still have a long way to go when it comes to online interfaces, which represent the bulk of the merchant point-of-sale ecosystem," Conroy added.

For 43% of hacks, perpetrators used social media to find victims, while 14% were caused by system-access or privileges misuse, and another 8% occurred simply through human error.

Hackers are after money more often than not, as the report revealed that 73% of breaches were financially motivated, with 21% related to espionage.

The report should serve as an alarm to the many organizations still relying on outdated security approaches, Pravin Kothari, chairman and CEO of CipherCloud, said in a statement delivered to media.

"This is especially true given the huge shift towards cloud applications, as organizations increasingly put sensitive data outside of their networks," Kothari said. "Even the best firewall in the enterprise won't detect attacks on data in the cloud."

In that regard, organizations should focus on protecting data in the network, cloud and mobile devices through encryption methods, Kothari added. "But never share your encryption keys with third parties, cloud providers or their administrators," he added. "Encryption is very effective, but if you share keys, you lose control and increase the risk of breaches."

Indeed, third-party risk remains a significant problem in data security, said Brian Zeman, chief operating officer of third-party risk management provider Prevalent Inc., in a media statement.

It remains apparent that the industry continues to have "a blind spot" of vulnerability to third-party breaches like those that occurred at Target and Home Depot in recent years, Zeman said.

"Compelling breach events and third-party risk mandates of new regulations make it clear that third-party risk management must be a top-five priority for any security-driven organization," Zeman added.

Aite's Conroy agrees that organizations protecting payment or private data continue to make it "way too easy for these organized crime rings" by exposing common vulnerabilities in weak passwords, configuration errors and employees falling for phishing attempts.

For reprint and licensing requests for this article, click here.
Data security Cyber attacks
MORE FROM AMERICAN BANKER