Let's look at the commonalities between these various incidents and the emerging patterns behind them.
- Targeted attacks – These attacks have been very carefully planned, orchestrated and executed. These highly sophisticated attacks qualify as advanced persistent threats (APT), engineered specifically against target companies.
- Social engineering attacks – Cyber criminals are now targeting and manipulating employees inside the organization, “hacking the human mind” to break into the organizations' systems. Our research has shown nearly half of enterprises have been attacked by social engineering techniques and can cost businesses anywhere from $25,000 to more than $100,000 per security incident.
- Information: A hacker's gold mine – Financial and competitive information is not the only valuable data worth stealing. What we see in these breaches is that attackers are looking more for general customer information and less for specific billing or credit card data. Indeed, such information can be very lucrative for spammers.
What lessons can we learn and how can companies stay protected?
Companies shouldn't buy into the illusion that they are not susceptible to attacks. Targeted attacks are on the rise and no company is fully bulletproof. Businesses must implement as many barriers as possible between their corporate network and assets and the cyber criminals.
Multilayered protection starts with knowing what assets are most critical to your organization and implementing an in-depth security strategy – that spans across the business and all channels of communication – from the network to the endpoint and mobile devices. Simultaneously, businesses should define a solid and well-structured security policy to enforce their protections. This policy needs to be aligned with the business objectives and be clearly understood by the employees of the organization.
Human error is the one security problem that technologies alone can't fix and for which there is no patch. It is up to organizations to actively engage, train and educate their employees in order to turn them into real, security-aware corporate gatekeepers.