It’s that time of year, and unfortunately, cybercriminals are all tricks, no treats. Despite the fact that security spend continues to rise, so do security incidents. In this post, we’ll look at top vulnerabilities and security incident trends to understand three common ways attackers are getting into organizations right now.

1. Phishing

Phishing is a form of social engineering that relies on human interaction to get into systems. And it’s one of the top vulnerabilities an organization faces, according to Verizon’s 2016 “Data Breach Investigations Report.”

Of the sample in Verizon’s report, there were more than 9,500 phishing incidents last year. Thirteen percent of folks clicked on a phishing attachment and 916 incidents resulted in data disclosure.

To put this into perspective, the average 10,000-person company spends about $3.7 million annually dealing with phishing attacks.

There are many tactics in the phishing toolbox to trick the end user; they’re all typically aimed at gathering sensitive data and often include email links/attachments that install malware.

These are ploys by expert cybercriminals—89 percent come from organized crime syndicates. And phishing scams are often the entry point to the nooks and crannies of your organization’s data.

And even though the attackers are experts at what they do, it’s a seemingly simple fix: email filters along with training staff on how to be more aware of the types of attacks they face and how to avoid them, can go a long way.

In a study by Ponemon Institute (linked to earlier), it found employee security training improved phishing email click rate by 64 percent.

2. Credentials

Here’s one that may or may not surprise you: 63 percent of data breaches involve weak, default or stolen passwords. The use of stolen credentials and malware targeting username and password authentication is still quite prevalent, according to the Verizon report.

From the report:

The capture and/or reuse of credentials is used in numerous incident classification patterns. It is used in highly targeted attacks as well as in opportunistic malware infections. It is in the standard toolkit of organized criminal groups and state-affiliated attackers alike.

In fact, 1,429 incidents involving data disclosure were recorded in the research. When you look at all the costs that go into a data breach, from direct costs related to financial loss to post-breach costs while dealing with the aftermath, this results in an average of $7 million to a U.S. organization.

Cybercriminals use weak or stolen passwords to their advantage in a variety of ways. The following chart shows the most common “threat action varieties associated with attacks involving legitimate credentials,” from the Verizon report:

That said, protecting your Microsoft Active Directory should be a priority for any organization.

Active Directory is used by over 90 percent of the world’s organizations to manage accessibility to nearly every piece of IT infrastructure including users, data, applications, computers, storage and the network. And it has known issues related to credential hijacking

3. Miscellaneous Errors

The majority of data breaches typically fall into one of several common buckets. The Verizon report found that the category of “miscellaneous errors” was among the top when it came to security incidents.

Again, this involved the human element, and included any unintentional action that resulted in a data breach. From the report:

Traditionally, this pattern has been dominated by the Trio of Trouble: Misdelivery, Publishing and Disposal errors and they make their annual appearance in Figure 31. Last year we grew our corpus to include data that shed light on availability issues caused by non-malicious spikes in traffic. Those capacity shortage errors lead the way this year, followed by worker bees either sending emails or documents to the wrong recipients. Classified as
Misdelivery errors, these events have seen many a person curse the existence of autocomplete in their Outlook To: field.

While humans aren’t perfect (we, of course, all make mistakes) it could be said that many of these miscellaneous errors might be avoided if companies weren’t understaffed and overwhelmed by competing IT priorities.

According to Cisco, there are 1 million unfilled security jobs worldwide due to a talent shortage. And while companies spend more and more on system upgrades and security products, the lack of security talent in-house to manage those systems and products still falls short, leaving organization just as vulnerable.

Hyper-converged solutions make it easier for organizations to manage and integrate their networking, storage and compute components. Although these solutions focus on functionality, security is still an afterthought. This has been proven to be a painful choice for customers.

That’s why organizations should consider a turnkey approach that offers flexibility and control.

At the end of the day, it’s easy to get spooked by our attackers. But if we put the right people, processes and technology in place to disrupt those who are lurking in the dark shadows, we’ll more easily divert their tricks on Halloween and every other day of the year.