Most of the biggest IT security risks aren't new but are threats that have been around for years or even decades.
This is one of the findings of the latest HP (opens in new tab) Cyber Risk Report published today which looks at pressing security issues facing enterprises during the previous year and indicating likely trends for 2015.
"Many of the biggest security risks are issues we've known about for decades, leaving organizations unnecessarily exposed," says Art Gilliland, senior vice president and general manager, Enterprise Security Products at HP. "We can't lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology; rather, organizations must employ fundamental security tactics to address known vulnerabilities and in turn, eliminate significant amounts of risk".
Among the key findings of the report are that 44 per cent of known breaches came from vulnerabilities that are 2-4 years old. Attackers continue to use well-known techniques to successfully compromise systems and networks. Every one of the top ten vulnerabilities exploited in 2014 took advantage of code written years or in some cases decades ago.
The main causes of commonly exploited software vulnerabilities are defects, bugs, and logic flaws. Yet most vulnerabilities stem from a relatively small number of common software programming errors. This means that old and new vulnerabilities in software are swiftly exploited by attackers.
Server misconfigurations represent the number one vulnerability. Over and above things like privacy and cookie security issues, server configuration issues dominated the list of security concerns for enterprises in 2014, providing adversaries with access to files that leave an organization susceptible to an attack.
Additional avenues of attack were introduced via connected devices. As well as security issues presented via Internet of Things devices, 2014 also saw an increase in the level of mobile malware. As the computing ecosystem continues to expand enterprises must take security into consideration or attackers will continue to find more points of entry.
In order to stay safe HP recommends that businesses carry out a number of measures including keep their software patches up to date, carry out regular penetration testing, and take advantage of intelligence sharing to reduce risk.
The full Cyber Risk Report 2015 (opens in new tab) is available to download from the HP website.