Cybercriminals are kicking their efforts up a notch, according to the 2016 edition of Symantec’s Internet Security Threat Report, which indicates that an average of one new Zero-Day exploit was discovered every week last year.
The number of new exploits more than doubled from 2014, to a record-breaking 54 in 2015. Symantec attributes the rise to a widespread organizational shift among the hackers who look for them. Many are increasingly adopting corporate best practices and even establishing professional businesses in order to focus their attacks.
“Advanced criminal attack groups now echo the skill sets of nation-state attackers. They have extensive resources and a highly-skilled technical staff that operate with such efficiency that they maintain normal business hours and even take the weekends and holidays off,” said Kevin Haley, director, Symantec Security Response.
“We are even seeing low-level criminal attackers create call center operations to increase the impact of their scams,” added Haley.
The effects of this evolution are already being felt: The report notes that as many as half a billion personal records were stolen or lost in 2015, many of them as part of a record-setting chain of nine “mega” breaches.
It also shows a spike in crypto-ransomware attacks, which increased 35 percent and spread beyond PCs to smartphones as well as Mac and Linux systems, a trend Symantec said indicates that enterprise is the next target.
These developments emphasize a need for collaboration and transparency among businesses, said Haley.
“The increasing number of companies choosing to hold back critical details after a breach is a disturbing trend,” he said. “Transparency is critical to security. By hiding the full impact of an attack, it becomes more difficult to assess the risk and improve your security posture to prevent future attacks.”
Hackers also seemed to home in on weak targets: organizations targeted once were most likely the subject of three more attacks throughout the year.
In order to counter the new wave of cybercriminals, Symantec suggests adhering to best practices like adopting a risk management framework and providing extensive training to employees.
“There’s a lot of doom and gloom out there; however, we have evidence that something can be done to effectively combat threats,” the report reads. “The problem so far is that security efforts have not been systemic, systematic, and broad-based enough, but too narrow, point-to-point, and often subjective.
“Ultimately, what is needed is comprehensive security, built-in by design.”