Around five in six large organisations were subject to some form of cyber-attack in the past year and things look set to get worse, says the latest Internet Security Threat Report from Symantec.
The IT security firm said that this represented a 40 percent increase from the year before, with the UK the second most targeted nation worldwide and top in Europe.
Around two-in-three attacks were aimed at SMBs, which put not only themselves at risk but also their customers and partners.
The report said that cyber-criminal attacks are becoming more advanced and employing covert tactics such as infecting software updates.
Kevin Haley, director, Symantec Security Response said attackers “don't need to break down the door to a company's network when the keys are readily available”.
“We're seeing attackers trick companies into infecting themselves by Trojanising software updates to common programs and patiently waiting for their targets to download them – giving attackers unfettered access to the corporate network,” he said in a press statement.
Phishing attacks were also up on last year, increasing by eight percent on 2014. But cyber-criminals are getting more efficient sending 20 percent fewer emails to successfully reach their victims. The phishing emails incorporated drive-by downloads and other web-based exploits.
Last year also set records for zero-day vulnerabilities. It took software firms around 59 days to develop and implement patches for flaws up from only four days in 2013.
The use of ransomware increased 113 percent in 2014 with 45 times more victims of such attacks than in 2013.
The report found that email remained the attack vector of choice for the cyber-criminal, but they also continued to experiment with new methods via mobile devices and social networks to reach more people with less effort.
“Cyber-criminals are inherently lazy – they prefer automated tools and the help of unwitting consumers to do their dirty work,” said Haley.
“Last year, 70 percent of social media scams were shared manually, as attackers took advantage of people's willingness to trust content shared by their friends.”
Symantec's Sian John, chief security strategist for EMEA told SCMagazineUK.com in an email that one of the key findings to emerge from this year's report was that advanced attackers are making a tactical shift. "They are infiltrating networks and evading detection by hijacking the infrastructure of major corporations – and using it against them," said John.
"More than ever before, hackers are recognising that the internet is the backbone to UK businesses. The UK ranked third globally for social-led attacks, as businesses continue to integrate social media into their business model," she said.
Mike Langley, regional vice president at Palo Alto Networks told SC Magazine via email that the threat landscape is changing and over the last couple of years there has been a "dramatic change" in both attackers and the techniques they use.
"By some estimates cyber-crime is now a $1+ trillion industry. In 2014, 783 data breaches resulted in the loss of more than 85 million records (IDTheftCenter.Org), and 2015 numbers are already tracking worse," he said. "Hackers are carrying out sophisticated and multi-faceted attacks which are costing businesses millions of dollars in lost revenue as they compromise their customer data."
He said that today's attacks are not only multi-dimensional in nature but also use an increasingly sophisticated set of techniques that are constantly in a state of change. "As these techniques evolve the risk of breach increases. An organisation is only as strong as its weakest entry point, therefore an effective strategy must include multiple points working together to prevent all aspects of an attack," he added.
PJ Kirner, chief technology officer and founder of Illumio told SC that continuing to rely on manual processes to address security requirements in the face of unrelenting threats and distributed, dynamic computing environments is futile.
"Security teams are spread thin trying to support multiple layers of solutions protecting the perimeter. Enterprises do not have adequate protections for data and transactions inside the perimeter and the traditional model of specifying security with network constructs increases the possibility of errors by overworked administrators," he said.
Tony Neate, CEO of internet safety campaign Get Safe Online said that even when people believe they are doing the right thing that can still get caught out. "This report highlights how attackers are leapfrogging defences to trick individuals and businesses alike to download infectious software. This is particularly the case for small organisations where attackers know that investment in security is likely to be low and will take advantage," he told SCMagazineUK.com.
He added that employees must be educated on the dangers of clicking on links or opening attachments in unsolicited emails. "It's one of the most basic things we can do to stay safe online and, by not bothering, organisations and individuals are opening themselves up to dangerous scams, spam and viruses which, as we have seen in the last year, can have hugely damaging effects.”