Less than a Quarter of Businesses Are Cyberattack-Ready

InfoSecurity Magazine: Less than a Quarter of Businesses Are Cyberattack-Ready

On average, only 23% of organizations are capable of responding effectively to a cyber-incident. This is especially bad for companies in the retail and hospitality sectors, which were the top-attacked verticals in 2015.

That’s the word from NTT Group’s annual Global Threat Intelligence Report, which found that not only do 77% have no capability to respond to critical incidents, but that the addressable fixable issues of social engineering and exploits of old vulnerabilities continue to be popular attack vectors.

In fact, spear phishing attacks accounted for approximately 17% of incident response activities supported in 2015. In many cases, the attacks targeted executives and finance personnel with the intent of tricking them into paying fraudulent invoices.

The bad guys are putting more effort into social engineering too. Activity related to the reconnaissance phase of the Lockheed Martin Cyber Kill Chain (CKC) accounted for nearly 89% of all log volume. These logs accounted for approximately 35% of escalated attack activity, making reconnaissance the largest single element in the CKC.

The report also found that all of the top 10 vulnerabilities targeted by exploit kits during 2015 are related to Adobe Flash. In 2013, the top 10 vulnerabilities targeted by exploit kits included one Flash and eight Java vulnerabilities. That has changed as new Java vulnerabilities have dropped steadily since 2013. The number of publicized Flash vulnerabilities jumped by almost 312% over 2014 levels.

But here’s the kicker: Nearly 21% of vulnerabilities detected in client networks were more than three years old. Results included vulnerabilities from as far back as 1999, making them more than 16 years old.

Read the full article on InfoSecurity Magazine.