Most companies sit on cybersecurity breaches for weeks before they're discovered — while they take hackers only minutes to perpetrate, a new report said Tuesday.
In 93 percent of cases where data was stolen, systems were compromised in minutes or less, according to Verizon's 2016 Data Breach Investigations Report. But in over 80 percent of cases, victims didn't find the breach for weeks or more, Verizon's data showed.
"Criminals are getting better, faster and nobody on the defensive is getting better fast enough," said Bryan Sartin, an author of the report. He said it usually takes a third-party to find signs of a data breach.
Verizon's enterprise branch analyzed more than 100,000 incidents and 2,260 breaches collected by 67 organizations to come up with the report, which found that more than 90 percent of breaches fall into the same patterns.
But businesses overlook those patterns — to sometimes devastating consequences, Sartin said.
"There's no such thing as an impenetrable system, but often even a half-decent defense will deter many cybercriminals — they'll move on and look for an easier target," the report's authors write. "Sadly, many organizations fail to achieve even that modest ambition."
Verizon's annual hacking dossier comes after another year of high-profile data breaches and unnerving cybersecurity reports. Software maker Symantec, for instance, estimates that 75 percent of legitimate websites have vulnerabilities that potentially expose them — and anyone who visits their sites — to cybercriminals. Scams like stealing tax returns and holding hospital computers hostage have surged.
But the notoriety of cybercrime hasn't necessarily stopped employees from falling from the same old tricks, Verizon found. Sixty-three percent of data breaches involved weak, default or stolen passwords, Verizon reported. And 30 percent of phishing messages were opened over the past year, up from 23 percent in 2014, the report said.
That's because even if your technology is tightly-controlled, people remain easy to fool, Sartin said. Indeed, once a phishing email is sent, it takes only about 1 minute and 40 seconds before the first user takes the bait, the study showed. The median time to the first click on the attachment was 3 minutes, 45 seconds.
With the availability of personal details available on social media, phishing emails are better camouflaged than ever, Sartin said.
"It's spear phishing that's becoming more effective and efficient," said Sartin. "It's customized emails tailored to a smaller group with the hope that 50 percent, not 5 percent, fall prey."
Denial of service (DDoS) and crimeware, like ransomeware, have made headlines, representing 15 percent and 12.4 percent of attacks, respectively, according to Verizon. But even more pervasive are the effects of physical theft of sensitive paperwork from desks or cars, insiders stealing data for financial gain, and mistakes, like sending sensitive information to the wrong person, the report found.
Verizon suggests simple prevention tactics lik fixing breaches promptly, training staff, monitoring management systems, and using encryption and two-factor authentication. Sartin said that it's important for executives to understand the few attacks that are most prevalent in their sector so they can be smart about targeted cybersecurity spending.
Despite troublesome findings in the report, Sartin said that the study isn't out to instill fear of data breaches, but rather, empower businesses to take action.
"Most people believe that cyberattacks are so complex and fast moving that you are helpless to do anything about them," Sartin said. "We see exactly the opposite: It's the same flaws and omissions that set the stage."