I ran across a few articles recently that had some numbers I found quite shocking. According to a recent study by HP upwards of 44% of breaches could be attributed to patched vulnerabilities that were between 2-4 years old. This means that patches that could have help avoid the breaches altogether had not been installed for more than two years.
Last year the media hi-lited the WannaCry ransomware attack that crippled thousands of systems around the world. The infection spread rapidly across unpatched networks by exploiting a vulnerability that Microsoft had issued a patch for a full two months earlier. While it is surprising that some organizations had not implemented two month old patches the shocking thing is a month later the Petya malware utilized the exact same vulnerability. So after the intense media coverage of the WannaCry infection people still hadn’t implemented the Microsoft security patch to protect themselves.
Something as simple as keeping all workstations and servers patched can eliminate a huge percentage of issues for very little to no cost. If you are working with an MSP it should be included in your monthly service.
Additionally, according to a C/NET article 46% of ransomware attacks are directly attributable to email or phishing scams. Granted some of these attacks rely on a combination of end user gullibility plus your lack of an organizational level patching solution. Even on a fully patched system, end users falling for phishing scams can have catastrophic consequences. On the low end the cost to a small to mid-sized organization can be the tens of thousands of dollars. The recent ransomware attack at the Colorado Department of Transportation cost $1.5 million in labor cost to clean up the infection!
Your employees are your organizations weakest security link. According to Intel a full 97% of people around the world are unable to identify a sophisticated phishing email. As many as 30% of phishing messages are opened by the targeted users and 12% of those users click on the malicious attachment or link. End user education and security training are the key to protecting your organizations from these attacks.
Take cybersecurity serious by first doing the simple things to protect yourself. The first step you should be taking at the organizational level is as easy as regularly scheduled preventive maintenance.
- Keep up to date on your server and workstation patching.
- Use centrally managed antivirus to insure all your users have the most up to date virus definition files and the systems are receiving regularly scheduled scans.
The next simple steps are:
- Create and clearly communicate your security policies
- Train your employees on the importance of cybersecurity and how to recognize phishing attempts.
Remember end users play the primary role in most breaches. Arm your users with the knowledge and policies to protect themselves and your organization.