Rapid7 has revealed details of its latest study on access and security controls companies have in place to avoid user-oriented attacks.
With the increase in adoption of cloud services, mobile devices, third-party applications and social media in the workplace, organisations need to recognise that their employees represent significant risk.
Enabling employees to use a range of cloud services, as well as their own mobile devices, can yield significant productivity gains and make for a more engaged workforce. However, it becomes increasingly difficult to gain insight into the actions of users in cloud environments, on personal devices or the network, whether they are accessing personal or business-critical data.
As a result, organisations are unable to detect whether there has been attempted or successful data theft. In fact, the Verizon Data Breach report stated that 66% of reported breaches remained undetected for months or more in 2012.
Rapid7 recently surveyed IT professionals at more than 550 organisations about the access and security controls they have in place to reduce the risk of user-oriented attacks.
According to the Verizon Data Breach report, social attacks were reported four times more in 2012 than in previous years, with phishing being the social tactic of choice 77% of the time. As a reflection of this, many organisations are integrating security awareness into corporate culture as a way to reduce the likelihood that employees will click on a malicious link or open a dangerous email attachment. In this study, Rapid7 found that 66% of respondents conduct user security awareness training to reduce the risk of successful phishing attacks.
Despite the publicity surrounding the dangers of weak passwords, ineffective and reused passwords are just as prevalent today as they have always been. Immediately following the LinkedIn data breach in June 2012, Rapid7 compared leaked passwords from the 2010 Gawker Media breach with the stolen passwords of LinkedIn users, and found that the same, weak passwords publicised two years before were still being used and were often part of a larger password/passphrase. With users likely to reuse ineffective passwords, 89% of companies have a password policy in place – a high percentage but still not 100%.
Despite the password policies in place in a majority of the organisations, only 56% of respondents audit password policy compliance across all authentication services, not just Windows. While Windows login can enable domain admins to require users to create stronger passwords, organisations must also ensure that all password-protected assets receive the same policy.
User-based risk is on the rise. Organisations increasingly face an evolving IT environment, which includes mobile devices, cloud services, and employee-installed applications. As a result, the number of ways that cybercriminals can target users to infiltrate the business and steal sensitive data seems endless.
It is critical that organisations gain greater visibility into the user and the different environments they access. To know the potential risk, organisations should first start by quantifying user risk and identify the riskiest behaviours used by people in the organisation. Armed with that information, organisations can make better-informed decisions about key controls that can be put in place to mitigate user-based risks.