NTT Group Study Finds Simple Mistakes Causing Costly Security Breaches In Businesses


Costly malware infections, business disruptions and data breaches stem from fundamental lapses in an organization's vulnerability and patch-management processes, and simple mistakes are having a significant financial impact, according to a security incident study conducted by NTT Group.

Application security has become a bearer and, in some cases, the source of corporate risk, according to an examination of log, event, attack, incident and vulnerability data from more than 6,000 NTT Group clients globally. The firm found incidents due to missing or improperly functioning basic endpoint security controls and other measures, such as antivirus software, which resulted in 43 percent of incident response engagements. In addition, more than three-quarters of organizations that the company provided assistance to had no incident response plan, said Rob Kraus, director of the engineering research team at Omaha, Neb.-based managed security services provider Solutionary, a subsidiary of NTT Group and one of the lead authors of the report.

"We're not talking about incident response for small mom-and-pop banks; we're talking about Fortune 100 companies," Kraus told CRN. "What usually happens is we typically warn the organization of an attack and those organizations don't have any plans in place, not even policy documents or business continuity plans that address incident response for cyberattacks."

[Related: Breach Stats Prompt Need For Vulnerability, Configuration Assessment: Report]

The NTT Group 2014 Global Threat Intelligence Report also found that attackers are having consistent success exploiting vulnerabilities that have long been patched by the software maker, but never addressed by an organization. The study found poorly executed and nonexistent patch-management processes. Half of the coding errors identified in vulnerability scans in 2013 were at least two years old. They were first discovered between 2004 and 2011, the firm said. 

"This isn't new concepts and we believe there are new technologies for malware detection out there, but if you are not doing the basics right, we don't see how that is going to benefit the advanced," Kraus said. "If doing the basics right you are going to be able to avoid 80 percent of the problem, and the 20 percent is what your incident response processes are for."

In addition, the makers of automated attack toolkits also have improved their processes, adding exploits that target newer vulnerabilities. NTT Group found that 78 percent of current exploit kits are taking advantage of vulnerabilities less than two years old.

NEXT: Basic Lapse Costs One Firm $196,000 In Direct Costs