The Big Boys’ 2016 Cyber Security Reports

The “big boys” in cyber security have released their annual Cyber-Security reports, ugh or UGH.  Cyber security is so important now that some companies have jumped into the mix of providing a report.  AT&T released their first cyber-security report this year. Forbes has a great article by Steve Morgan, outlining all of the reports and providing links to download all of them.  I’ll try to sum them all up in a short list here.  But, check Mr. Morgan’s article out for more in-depth summaries and links to the real material.

Before you continue, you might want to pour a stiff drink or four and find a nice dark place to “relax” after you finish reading this “wonderful” news.

My Brief Findings from the Reports

• Spear phishing grew over 50% and the sad part is, most people, even trained not to do so, click on the link.  Ouch!
• Clouds are pretty good for overall availability and support, replacing the in-house server farm and network.  Some are better than others for security, so trust but verify how they secure your data and network.
• 64 Million malware samples by Dell SonicWall, a 73% increase over 2014.
• WordPress sites were compromised over 200% more.
• The Internet of Things is now a focused area for cyber-criminals.  They searched the IoT over 450% more for vulnerabilities in 2015 than in 2014.  Think smart phone and medical device security!
• Hacktivism is growing.  Which means they’ll hack certain targets to make a statement or sway public opinion or damage the establishment or whatever makes them feel bigger that day. Even though criminals are focusing more on making money, there is a growing hacktivism movement which means lack of money doesn’t influence or deter the hackers.
• As the enterprises (large companies) improve cyber-security, cyber-criminals will focus on the end-user at home and possibly the smaller businesses to make their money or statement.
• Your car is probably going to be hacked in the next year or two.  Yep, scary, but highly likely on newer models.

IBM Report (2015 in brief)

I thought they had three excellent conclusions worth sharing.

• Your next attacker is likely to be someone you thought you could trust. Insider threats continue to pose the most significant threat to organizations everywhere.
• IBM found 64 percent more security incidents in 2015 than in 2014. Improvements in detection and policy refinement made that possible.
• Healthcare became the most frequently attacked industry. A significant increase in attacks rocketed healthcare straight past financial services and manufacturing.

Possible / Obvious Suggestions Gleaned from all this Data

1. Based on all of the reports one should seriously consider removing Adobe Flash and Internet Explorer from their computers, since together more than 50% of malware/ransom-ware is distributed through the vulnerabilities of these two pieces of software.
2. Consider moving desktops and servers to Linux, since Microsoft OS and MS Office make up 22% of vulnerabilities.  Yeah, I know, not necessarily feasible.

Dell’s Report had a VERY good section on Android Security

This is copied straight from Dell’s report.

How to avoid falling victim to Android malware. There are several precautions Android users can take to avoid this onslaught of new malware:

1. Install applications only from trusted play stores like Google Play.
2. Keep the option to install applications from unknown sources unchecked in System Settings.
3. Keep the option to verify applications checked in System Settings.
4. Keep both options under “Verify Apps” checked in Google Settings > Security.
5. Keep an eye on the permissions requested from untrusted and unknown applications, and disallow any suspicious requests.
6. Secure your internal WiFi network and be cautious when you connect to untrusted public WiFi.
7. Avoid rooting the device, as it increases the damage caused by possible infection.
8. Upgrade, if possible, to the latest version of Android.
9. Install AV and other mobile security apps for Android devices.
10. Enable remote wipe.

My Summary

In short, let me sum up, you’re hosed, sorry, that was a little short and ugly and not comprehensive.  I should have stated, we’re all hosed.  That sounds fatalistic, but if you don’t take action it could be fatal to your business.

When the best news is that cyber criminals saturated the stolen credit card market so they have now moved on to ransom-ware and ePHI data theft, Healthcare has a problem, a massive problem and thus every patient is a target and should be concerned.

Several questions you need to ask yourself, especially if you’re in charge of cyber-security or own a small practice or healthcare service business.

1. Do you have up-to-date compliance in place, including a disaster recovery plan, a tested backup and recovery plan, appropriate cyber-security measures and regular testing?
2. Do you have resources allocated to detect and defeat data breaches, including dedicated resources to respond to cyber-threats?
3. Do your vendors (business associates) comply with your and HIPAA’s security standards?

Hope this was helpful info and good luck in 2016 and beyond.

Sign up for our free monthly newsletter to stay informed on HIPAA and Cyber-Security for healthcare covered entities and business associates.