In 2019, a total of 8.5 billion data records will have flowed out. It is frightening to realize that 85% of the reasons for this are wrongly configured systems. It does not matter whether it is the own or external operation of servers. But also the lack of password hygiene is still a big problem.
Phishing, scanning, exploitation and reuse of access data – the biggest problems
The initial attack vector that affects has a third of the compromised accounts. The now published IBM study speaks of a total of 8.5 billion records that were stolen in 2019 alone. Scanning and exploiting vulnerabilities also resulted in 30% of data theft. It is to be observed above all that already officially patched security holes in e.g. Windows Server and Microsoft Office still lead to large thefts.
But the multiple use of passwords also allows attackers to steal further data. This approach was also identified in the study. Recently, the BSI adapted the guideline with regard to the password change intervals. It is no longer required to change the password every 90 days, but only after a compromise has been detected. At the moment it has to be stated that none of the guidelines serve their purpose.
The fact that the basic data protection regulation is in principle able to increase the security level can also be doubted. Numerous security gaps are also contained in the DSGVO.
Study based on 70 billion security events
In the collected data records there are further exciting findings. For example, TrickBot is classified as the most active banking Trojan. Private and public institutions are affected equally. The trend among cyber criminals is clearly towards ransom racketeering. The successful business model has been actively practiced since 2017. The most successful ransomware attacks of 2019 have temporarily incapacitated the Berlin Court of Appeal, among others. The court is still struggling with the consequences today.
Human and technical security gaps endanger business success
The latest Risk Barometer study from Allianz has already put cyber threats in first place. This circumstance forces basically all companies that plan to implement digitalization in the short, medium and long term to deal with cyber threats. It is a challenge to determine the priorities. After all, technology and people themselves are attacked at regular intervals via digital channels.
For companies looking for an initial assessment of potential attack vectors, a look at RISKREX may be worthwhile. Digital Risk Management identifies technical and human security vulnerabilities and helps measure the success of IT security projects. Awareness campaigns or pentests can then be conducted.
This post is also available in: Deutsch (German)