sb-as logo
Story image

All in a day's work: Why hackers hack and how they do it

12 Apr 2018

It can take hackers less than an hour to steal data from an organisation, and most of the time their targets don’t even detect the attacks.

It’s all in a day’s work for professional hackers, who say that the reality of cybersecurity is much different to what some organisations believe.

Nuix’s Black Report polled professional hackers, penetration testers, and incident responders from 13 countries.

Most hackers can breach a target system, find and exfiltrate data in just 15 hours, while 33% can do the task in five hours, and 40% can do it in less than an hour.

93% say organisations don’t detect their attacks more than half the time – unsurprising considering 70% believe security professionals don’t even know what they’re looking for when they’re trying to detect attacks.

“The Black Report reveals a huge gap between perception and reality in cybersecurity—you might think you’re well protected but the people whose job it is to break in and steal your data think otherwise,” says Nuix’s head of services, security and partner integration, Chris Pogue.

88% of hackers use social engineering tactics like phishing to get information about targets before they conduct their attacks, suggesting that security training for employees at every level in an organisation is critical.

“Most organisations invest heavily in perimeter defences such as firewalls and antivirus, and these are mandatory in many compliance regimes, but most of the hackers we surveyed found these countermeasures trivially easy to bypass. If hackers can steal your data within a day but you only find out it happened months later, you’re well on the way to becoming the next big news story,” Pogue adds.

Who are those hackers? 57% work for medium, large or enterprise businesses. When asked if they had accessed their employer’s critical data for personal gain or for unnecessary purposes, only 14% said yes.

“For every 1,000 employees your organisation has, 140 of them are accessing your CVD for their own purposes beyond that which their job requires,” the report says. Hackers are also smart: Three quarters have graduated from college and 32% have postgraduate degrees. 6% say that formal education is for ‘suckers’.

Most respondents (86%) say they hack to learn, 35 ‘hack for the lulz’, 21% hack for financial gain, and 6% hack for social or political motives.

The hackers say that they use the same attack techniques for a year or more – despite common perceptions that attacks are becoming more sophisticated.

“Hackers can keep using the same attack techniques because they still work—if it ain’t broke, don’t fix it,” Pogue explains.

“Again and again in the media, data breach victims claim they suffered unprecedented and highly sophisticated cyberattacks but the reality turns out to be that someone didn’t do their job properly. In the recent Equifax case, it was simply an older system that hadn’t been patched.”

But hackers are keeping an eye on what’s happening in the wider security space – 48% spend between 1-5 hours keeping up with security news, trends, and technologies. 16% spend more than 10 hours doing the same activities.

“If cybersecurity is an arms race and knowledge is a weapon, are security specialists and incident responders spending as much time researching how to get better at their craft? Based on the data in this report, specifically the time it takes to compromise a target and how rarely our respondents were detected, it seems likely they are not,” the report says.

78% of respondents believe that data hygiene is an important part of cybersecurity.

Pogue says that organisations are misdirecting their security strategies because they aren’t including people who know how to hack.

“When organisations develop their cybersecurity strategies, they may have IT, legal, risk, and human resources teams at the table but the one person they never invite is the bad guy,” Pogue concludes.

The survey polled respondents from Australia, Brazil, the Dominican Republic, Dubai, England, France, Germany, Ireland, Mexico, New Zealand, North America, the Philippines, Singapore, and South Korea.

Story image
SMBs seeking service providers in face of rising cyber threats
SMBs are struggling with their cybersecurity solutions, with three quarters worried about being the target of a cyberattack in the next six months, and 91% considering using or switching to a new IT service provider if offered a better option.More
Download image
Business culture key to delivering effective cybersecurity
Cybersecurity requires not only technology, but a security culture in your workforce. More
Story image
75% of IT execs 'worried' about being targeted in cyber-attack
A new report from ConnectWise has shed light on the widespread concern about cyber-attacks, with 91% of SMB executives considering a move to an MSP if it provided the 'right' solution.More
Story image
CrowdStrike acquires Preempt Security for $96m, develops zero trust security offerings
With this acquisition, the company plans to offer customers enhanced Zero Trust security capabilities and strengthen the CrowdStrike Falcon platform with conditional access technology. More
Link image
Webinar: Best practices for keeping your video chats secure
Video collaboration providers nowadays operate exclusively on a multi-tenant, public cloud - and security and privacy concerns have come into the spotlight. Here's how to secure your communications.More
Story image
Five security challenges for the Enterprise of Things
Many enterprise networks aren't adequately managed, creating risk for businesses that don’t have full visibility into all of the devices on their network, writes Forescout regional director for A/NZ Rohan Langdon.More