Symantec recently published its 2016 Internet Security Threat Report, detailing threats captured through its worldwide intelligence sources. It estimates that more than half a billion personal records were lost or stolen during 2015, illustrating that no one should consider themselves immune from a data breach. The report provides details on the main attack vectors used, including spear-phishing attacks and ransomware.

In total, the number of identities exposed grew 23 percent in 2015 to reach 429 million lost in confirmed breaches. Furthermore, Symantec cautions that the number of breaches seen in 2015 is likely considerably higher than reported, as there was an increase of 85 percent in organizations choosing not to report the full extent of breaches experienced, meaning that this could just be the tip of the iceberg.

Industries Most Likely to Be Breached

Organizations operating in the health sector are the most likely to suffer a data breach, accounting for 39 percent of the total number of incidents, with 4 million identities exposed and 36 percent of the breaches involving the theft or loss of medical records. In terms of data breaches that left identities exposed, the social services sector was the most frequently targeted, with 191 million identities exposed, followed by insurance carriers at 100 million.

Spear-Phishing the Method of Choice for Many Attackers

As opposed to phishing attacks, which target multiple people (increasing the chances that at least one will raise the alarm), spear-phishing attacks are highly targeted and generally appear to come from someone the target knows, or a person or company that they trust. Attackers will go to great lengths to make their exploits seem plausible to the victim. Overall, there was a 55 percent increase in spear-phishing attacks during 2015, with firms in the financial services sector the most singled out. Given this high level of growth, it’s vital that organizations step up their efforts to raise security awareness among employees so that they understand the dangers of opening attachments or clicking on links in emails.

Small Organizations Increasingly Targeted

Over the years that Symantec has been producing this research, attackers appear to be switching tactics from primarily targeting large enterprises to targeting businesses of all sizes. In 2011, spear-phishing attacks against organizations with more than 2,500 employees made up 50 percent of the total seen, but that had fallen to 35 percent in 2015. This can partly be explained by the increase in highly targeted attacks against individuals, rather than a reliance on more general phishing attacks that are launched en masse, often targeting hundreds of individuals at an organization. As a result of this switch, small organizations with 250 or fewer employees were the target of 43 percent of attacks in 2015, up from 18 percent in 2011.

Ransomware on the Rise

Another threat vector seeing a spike in 2015 was ransomware, particularly the more damaging crypto-ransomware variety that encrypts files and folders, ostensibly until the victim pays a ransom. There has also been an increase in the number of ransomware attacks targeting mobile devices. Attackers have found that ransomware can be extremely profitable since it provides an immediate financial return, rather than requiring attackers to sell information stolen in a heist before any gain can be realized. The use of crypto-ransomware increased by 35 percent over the course of 2015.

Because mobile devices are being increasingly targeted, organizations must impose at least minimum security standards for those devices and should consider mandating that only highly secure mobile devices and platforms are used. Many attackers rely on known vulnerabilities, so patches should be distributed to all users if a centralized platform is used.

It’s Getting Personal

As illustrated by the data in Symantec’s report, attackers are increasingly targeting specific individuals in order to up their chances of success. Everyone needs to be vigilant, and businesses should ensure that their employees are provided with the tools and information that they need to best protect themselves and the organization as a whole.

Businesses everywhere are using cutting-edge technology to increase security awareness. Find out how one shared workspace is using Samsung’s My Knox to up the security of their mobile devices.

Posts By

Fran Howarth

Fran Howarth is an industry analyst specializing in security. She has worked within the security technology sector for over 25 years as an analyst, consultant and writer. Fran focuses on the business needs for security technologies, with a focus on emerging technology sectors. Current areas of focus include mobile security, cloud security, information governance and data security, identity and access management, network and endpoint security, security intelligence and analytics, and security governance and regulations. Follow Fran on Twitter: @FranNL

View more posts by Fran Howarth