Many businesses are failing when it comes to cyber security, including basic practices like updating software and using strong passwords. So says a new report by security firm Positive Technologies.
In gathering the results of security assessments, including penetration testing, Positive Technologies saw some alarming patterns in security vulnerabilities. In 68% of cases, the firm found it was possible to breach clients’ defences and access their local area network (LAN). 31% were at risk of infection by the WannaCry ransomware – despite the fact its existence has been widely publicised for many months.
In one case, they found an unpatched vulnerability that was 18 months old. That’s a year and half during which a business network had a flaw that could have been patched easily.
For the penetration testing, 44% of successful attacks were based on brute-forcing login details for web apps, databases management systems and so on. Brute-forcing simply means trying as many different passwords as possible to find the right one. It usually involves running software that can get through thousands, if not millions, of words per minute.
The success of brute-forcing is a reflection of poor passwords within organisations. Positive Technologies found that many businesses used ‘dictionary’ passwords for all sorts of things. These are passwords that are likely to be included in lists of common passwords, which hackers use to break into networks. The survey found that 40% of businesses use a dictionary password for their company Wi-Fi. 38% of passwords in externally accessible web-applications were also ones that could be easily guessed. And for both database management systems and email, dictionary passwords were used 64% of the time.
As if all of this wasn’t bad enough, businesses didn’t do well in phishing email tests either. In seven out of every eight companies tested, employees were tricked into entering their passwords into a fake authentication form. That’s particularly worrying, because it only takes one employee to fall for a scam for the whole organisation to suffer. In total, 26% of employees clicked on email links to phishing websites.
What does all of this tell us, though?
For a start, it’s clear that businesses that don’t carry out updates in a timely fashion put themselves at increased risk. Yes, cyber crime is constantly evolving, but security companies are also constantly creating patches to combat new threats, so it’s important to be up to date.
This report also shows, as we’ve said before, that human error plays a major role in successful cyber breaches. Weak passwords, social engineering and so on are easy to exploit and all too common. To counteract this, you need appropriate cyber security training and clear policies and procedures about what to do in the case of breach.
If you're worried about your organisation's cyber security, contact TMB to arrange a free IT audit. We'll help you to understand your current solutions and work out what's best for you.