The days where hackers take advantage of zero day exploits or craft their way into secure infrastructures seem like a thing of the past. A majority of high-profile breaches reported in recent years are due to unpatched systems poor security awareness.
Deloitte was just breached due to poor security on an administrator account and poor security practices.This breach is still unfolding but as more information is disclosed it's interesting to find a security firm that audits others not practicing the controls they audit for.
Equifax has experienced multiple breaches due to unpatched web servers and poor security practices. DLA Piper's breach also due to unpatched systems and poor security awareness. Panama papers had so many security holes they couldn't narrow down the breach to an insider attack or poorly maintained systems.
In reviewing breaches dating back almost a decade this is the case in a majority of breaches. The infamous Target breach, poor security controls in place for vendor access. Going back further, almost a decade to the 2008 breach of US military systems which started with a single USB drive strategically placed in the parking lot of a DoD facility in the Middle East that led to worst breach of U.S. military computers in history". A USB drive infected with a work left in a DoD parking lot, an employee picks up the drive and clears it through all the facilities security checks then plugs it into a computer connected to the United States Central Command.
We now live in a world where the biggest security threats to our organizations come from the inside. Poor patch management, lack of security controls and most importantly a decline in security awareness has rolled out the red carpet for attackers to walk right in. We see this happening and continue making the same mistakes publicized in the breach before.
With the right training and tools this can be turned around. I've worked in organizations where security awareness is at such a heightened level users who were once considered our biggest risk are now our strongest links in the security infrastructure chain. Teamwork, planning, training and a consistent message to an organization on the importance of security is a must to minimize threats. We will never be able to eliminate threats but with the proper plan we can reduce risk to an acceptable level.